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IMMARY OF CHANGES 


Purpose of the Addendum 


This document has been prepared as an addendum to the Entry/Exit Phase || Privacy impact Assessment (PIA) 
to notify the Office of the Privacy Commissioner of Canada (OPC) that effective June 28, 2016 (anticipated), 
the scope of affected travellers under the Entry/Exit Initiative will be expanded to include all foreign nationals 
and permanent residents crossing the shared land border between Canada and the United States (US). 
Specifically, information on US citizens entering either country via an automated port of entry along the land 
border will now be included in the scope of Entry/Exit. The personal information data elements, as well as the 
intended purpose for collection, will remain the same as under Phase Il, as only the class of individuals will be 
expanded. No information on Canadian citizens and Registered Indians ("Canadians") will be exchanged with 
the US at this time. 


The full implementation of the Entry/Exit Initiative, specifically the systematic collection of exit information on 
all travellers in the land and air modes, has been delayed from the initial commitment of June 2014 to provide 
the Government of Canada with additional time to pursue the requisite legislative authorities and to make 
targeted investments regarding new Information Technology (IT) systems. A new PIA will be submitted to the 
OPC 120 days prior to the implementation of all future deliverables of the Entry/Exit initiative. 


in 2011, Canada and the US issued the Beyond the Border: A Shared Vision for Perimeter Security and Economic 
Competitiveness declaration, which established a new, long-term partnership built upon a perimeter approach 
to security and economic competitiveness. The Perimeter Security and Economic Competitiveness Action Plan 
(Action itis issued later that year, sets out the joint Canada — US priorities for achieving this vision. As part 
of delivering on their commitments in the Action Plan, Canada and the US are undertaking the Entry/Exit 
Initiative. 


The Entry/Exit Initiative falls under the Canada Border Services Agency's (CBSA) mandate of providing 
integrated border services that support national security and public safety priorities and facilitate the free flow 
of persons and goods, which meet all requirements under the program legislation. 


The Entry/Exit Initiative will implement a system to exchange Biographic Entry Data^ between Canada and the 
US, such that an entry into one country is considered an exit from the other, thereby establishing a common 
and integrated approach to border management. Biographic Entry Data refers to any personal information 
collected on foreign nationals or permanent residents that enter either Canada or the US via the shared land 
border which i is subsequently exchanged under the Entry/Exit Initiative. This information i is non- derogatory 


Canada Border Services Agency 


—C————— ———— NAAA AAAA AAAA AAAA DARADARA AAAA AAAA AAAA ASSIA AAAA AR AA AAAA AAAA ARADA DARARARDA AAAA ANEA AA AAA AA AA AALAN AANAND AA AAAA NAARAAN SAARA SASS SAAANA NAA AAAA AAA 


CBSA - Released u ibid oe mation Act. 


ASFC - Divulgation 


Entry/ex Exit Addendum to the Phase PIA Protected 


and consists of basic biographi ic data elements routi inely collected from travellers enteri ing either country, 
ent 


specifically: first name, last name, middie name, date of birth, nationality/citizenship, gender, travel docum 
type, travel document number, travel document country of issuance as well as date, time, and location of 
entry. 


The Entry/Exit Initiative will continue to be implemented through a phased approach and by making et 
investments in new technology and infrastructure, where required. Three phases of the Entry/Exit initiative 
are applicable to travellers crossing the Canada - US land border, and the fourth phase involves the collection 
of Biographic Air Exit Data” on all travellers in the air mode. The coordinated investments in entry and exit 
systems will assist the Government of Canada in meeting its objective of effectively administering and 
enforcing Canada's immigration and border management programs. The Entry/Exit Initiative Is outlined in the 
Action Plan and is summarized as follows: 


Implemented 


+ (Phase i) September 30, 2012 — January 30, 2013: the implementation of a proof of concept to 
exchange the Biographic Entry Data of third-country nationals’, permanent residents of Canada and 
lawful permanent residents of the United States, at four automated common land border ports of 
entry. The proof of concept was deemed successful, thus enabling the CBSA to move on to Phase II; 


Entry Data of snide nationali, En residents of Canada and lawful peritidnant residents 
of the United States, at all automated land border ports of entry; 


Delayed 


+ (Phase lli) By june 30, 2014, the expansion of the Entry/Exit Initiative to include the exchange of 
Biographic Entry Data on all travellers at all automated" land border ports of entry; and 


e (Phase IV) With respect to air travel, by June 30, 2014, Canada will develop a system, under the 
Entry/Exit Initiative, to establish exit, similar to that in the United States. 


Both countries also committed to conduct exploratory work regarding the possible future integration of entry 
and exit information systems in the marine and rail modes. 


Current Status 


Phase ll of the Entry/Exit Initiative was successfully implemented on June 30, 2013. Presently, Canada and the 
US continue to exchange Biographi € Entry Data on th hird- -country nationals and permanent residents for 


A rhird country ‘ea means a a person Ww hoi is not à c tizen of C da ori the US $ Ora Re egistere od Tris mn Canadi 
country's respective laws. Of note is that citizens of Canada and the US are out of scope for Phase Il even thoug ad 
are foreign nationals io et ach other. The usc of the term third-country nationals is meant to exclude citizens of either country, 

t An automated port is one that has network eae: and. access to BANE: including the integrated Primary Inspection Line 


i|.) system, to allow for the electronic cap nit g into Canada. 


AS 
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Effective June 28, 2016 (anticipated), all existing activities currently in place and the uses of personal 
information collected and disclosed under Entry/Exit will remain the same as under Phase Il, but the scope of 
affected individuals will be expanded under existing authorities to enable the CBSA to: 


a) Receive Biographic Entry Data from the US Customs and Border Protection (CBP) on all foreign 
nationals (including US citizens) and permanent residents that depart Canada and enter the US 
via an automated port of entry along the shared land border; and 


b) Disclose Biographic Entry Data to the US CBP for all US citizens, third-country nationals, and 
permanent residents that depart the US and enter Canada via an automated land border 


crossing. 


| The exchange of Biographic Entry Data on Canadians crossing the land border as well as the implementation of 

an air exit system to collect Biographic Air Exit Data on ail travellers leaving Canada on board international 
flights will be deferred until the requisite legisiative and regulatory amendments are in place (currently 
anticipated for Fall 2017). 


. Biographic Entry Data collected under Phase I of the Entry/Exit Initiative is not currently being disclosed to 

other federal government departments systematically. As noted in the Phase Il PIA, this information may only 
be disclosed on an ad hoc basis subject to specific legislative authorities that govern the disclosure and 
collection of this information. All ad hoc requests for Biographic Entry Data received by the CBSA will continue 
to be processed on a case-by-case basis. 


Systematic disclosures to other government departments are currently under consideration for future phases. 


The additional privacy compliance analysis for these disclosures will be clearly outlined in a subsequent PIA 


E] 


that will be submitted to the OPC 120 days prior any new disclosures occurring. 


+ 


As outlined in the Phase Il PIA, exchanged Biographic Entry Data will continue to be used under the current 
phase to effectively administer and enforce the immigration laws of Canada, by: 


1. Reconciling Biographic Entry Data received from the US to traveller records previously 
collected by the CBSA; 


2. Facilitating the CBSA's ability to focus immigration enforcement actions and investigations on 
warrants for foreign nationals and permenent residents who are suspected to still be in 
Canada; 


3. Facilitating the CBSA’s ability to focus immigration enforcement actions and investigations on 
foreign nationals subject to removal orders who are suspected to still be in Canada; 


4. Facilitating the CBSA's ability to determine the whereabouts of foreign nationals and 
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who may be a threat to Canada’s national security; and 
5. Possibly identify program integrity issues. 


Process, data exchange and timeframe: 


(anticipated) ux thi is date, s inlbrinslion wi it be neue between Canada and the US in near real- 
| time. 


ic Entry Data on foreign nationals and 


vermanent Viersen: 
e Canada Border Services Agency Act, subsection 5(1) 
e immigration and Refugee Protection Act, subsection 4(2), paragraph 20(1)(b), and subsection 28(1) 


e Privacy Act, sections 4, 7 and subsection 8(2) 
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The Phase | PIA identified a "moderate" risk of possible onward disclosure of Entry/Exit information 
due to existing requirements within US law. The Annex Regarding the Sharing of Biographic Entry 
Data to the 2003 Statement of Mutual Understanding on Information Sharing (the Annex) between the 
CBSA, immigration, Refugees and Citizenship Canada (formerly known as Citizenship and Immigration 
Canada) and the Department of Homeland Security (DHS) has been established to mitigate this risk by 
establishing a framework to limit the purposes of the exchange to national security related cases. 
Specifically, the Annex outlines that information sharing must be done in accordance with the Beyond 
the Border Action Plan: Statement of Privacy Principles, including all authorized secondary uses and 
onward disclosures, and ensures that there are mechanisms in place to address any potential violation 
to the agreement. The purpose and scope of the Annex is limited to Third Country Nationals and 
Permanent Residents, and does not address information sharing on US citizens. 


The CBSA will post new temporary signage (as was done previously to support the implementation of 
Phase 1I) at all implicated land border crossings to notify affected travellers, including US citizens, that 
their personal information is being collected and exchanged with the US under the Entry/Exit 


Initiative. 
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As a result, the CBSA will ensure that signs posted at Canadian POEs will include language to notify 
affected travellers that the CBSA collects their personal information from the CBP when they enter the 
US by land, so that a record of entry into one country can serve as the record of exit from the other. 


All future signs will also include provisions to direct individuals to the CBSA website should they 
require additional information on the Entry/Exit Initiative, including the Entry/Exit Traveller Processing 
Personal Information Bank (PIB). 


The CBSA will also continue to employ a variety of communication vehicles to notify affected traveilers 
and the general public of the collection, use, disclosure and protections surrounding information 
gathered through the Entry/Exit Initiative. 


Retention Period 


in an effort to be consistent with other existing immigration programs (i.e. uses of personal information for 
non-citizens), an initial retention period of 75 years was established for Phase Il of the Entry/Exit Initiative. 
The CBSA has since conducted a thorough analysis of the proposed future uses, and the retention period will 
be significantly reduced from 75 to 15 years effective june 28, 2016. Biographic Entry Data collected under 
Entry/Exi 
are required to support active and ongoing CBSA immigration enforcement investigations or it has been less 


than two years since the information was used to support an administrative decision. 

The proposed retention period of 15 years is necessary to support lengthy immigration enforcement 
investigations conducted in accordance with the Agency's mandate and to enhance border management by 
| 
awareness regarding foreign nationals and permanent residents crossing Canada's border. 


providing the CBSA with reliable and accurate travel history information to support improved domain 


The reduced retention period will apply retroactively to all Biographic Entry Data already collected under 
Phase ll of the Entry/Exit Initiative, as well as to any Biographic Entry Data and Biographic Air Exit Data 
collected under future phases, The Entry/Exit Traveller Processing PIB has been updated accordingly and will 
be published on info Source by June 28, 2016 to notify the general public about the reduced retention period. 


All uses of Biographic Entry Data collected under Entry/Exit after June 28, 2016 will remain the same as 
outlined under the Phase II PIA, until the program is further expanded under future phases to include 
Canadians once the required legislative and regulatory authorities are in place. The CBSA commits to submit a 
separate PIA to the OPC to outline the use, management, disclosure, and protection of personal information 
for all future phases of the Entry/Exit Initiative, including the collection of personal information on all 
travellers in the air mode, as well as on Canadians in the land mode. 
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UPDATE TO THE PERSONAL IN 


HEER A of the class of records associated with the program or opidi d 


Traveller Processing 


. Description: Describes records related to people, goods and conveyances arriving at Canadian ports of entry 
| and records of individuals departing Canada. May include records related to the establishment or use of 
electronic systems used to administer or manage the program including the Integrated Customs 

- Enforcement System (ICES), Integrated Primary Inspection Line (IPIL), Passenger Information System (PAXIS), 

Telephone Reporting Centre System (TRCS), Secondary Processing System, Passage History Database, 

. Occurrence Reporting System (ORS), Intelligence Management System (IMS), Integrated Border Query (IBQ), 
Field Operations Support System (FOSS) , Computer Assisted immigration Processing System (CAIPS), 
Canadian Police Information Centre (CPIC), National Crime Information Center (NCIC), Client Status Query 
(CSQ), Modern War Crimes System (MWCS), Secure Tracking System (STS), Support System for Intelligence 
(SSI), National Case Management System (NCMS)}, Global Case Management System (GCMS), Automated 


Fingerprint System (AFIS). | 


Document Types: Forms, manuals, policy, memoranda of understanding, passage and enforcement history. 


x" * 

+ 1 

E M if : 
d E 


Ei o tom gha ify a an existing sara information Bank - identify PIB registration number and current 
description: 
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Entry / Exit Traveller Processing Personal Information Bank - 


Description: This bank describes information about individuals who enter Canada through all modes of travel or leave 
Canada through automated common land border crossings between Canada and the United States (US). The personal 
information collected may include, and are limited to, traveller entry and exit data elements as follows: first/given name(s), 
middle name(s), last name/surname(s), nationality (citizenship), date of birth, gender, travel document type (e.g., passport), 
aval document number, travel document country of issuance, port of entry, date and time of entry. For individuals entering 
Canada from the US, this information is collected as an extraction of the personal information currently collected as part of the 
CBSA’s traveller processing activities. For individuals vus Canada across the shared Canada US border, this information is 


collected m US Customs and Border Protection offi cial S > upon entry into the US and ecd shared with canada 


o ded such hat: an entry into « one S Country | is i considered an exit from the other hereby e: establi shing an negratod i 
coordinated approach to border management. 


Class of Individuals: Foreign nationals, permanent residents of Canada and lawful permanent residents of the United 
States. 


Purpose: The personal information is collected and used for the purposes of improving border management by enabling the 
CBSA to monitor the flow of persons entering and departing from Canada. In effect, this will enhance the public safety and 
security of Canada by increasing the effectiveness of the Admissibility Determination and Immigration Enforcement program 
activities by enabling these functions to better determine who has left Canada. Personal information is collected pursuant to _ 
the Canada Border Services Agency Act subsection 5(1), the Immigration and Refugee Protection Act (IRPA ) subsection 4(2), 
paragraph 20(1)(b) and subsection 28(1). 


Consistent Uses: The information may be used or disclosed internally for the following purposes: statistical analysis, program 
admini istration and program evaluation. The data collected regarding the class of individuals listed will be compared against 
extracts of immigration warrants, removal orders, and a subset of Enforcement Information Index lookouts to: facilitate the 
CBSA's ability to focus immigration enforcement actions and investigations on persons in Canada; and facilitate the 
Govemment of Canada's ability to determine the whereabouts of persons whom are wanted for reasons of national security, 
serious criminality, crimes against humanity or war crimes, and organized criminality. Please refer to Enforcement Information: 
Index System (EIIS) CBSA PPU 025 and Immigration Warrant File CBSA PPU 026. The data collected in this bank will be 
reconciled against a non-operational copy of information stored in the Traveller Processing Personal Information Bank CBSA | 
PPU 1101 to create a record of pube from Canada and to enable the accumulation of traveller history information. | 
Statistical analyses of the data will be conducted to: evaluate p program integrity and gain insight into trends and pattems to 
inform program policy decisions. Information may also be disclosed to the United States of America Customs and Border 
Protection for the purposes of administering and enforcing US immigration laws and in support of activities related to law 
enforcement and national security. Disclosure of the information to the US is completed pursuant to the Beyond the Border | 
Action Plan: A Shared Vision for Perimeter Security and Economic Competitiveness. Information may also be disclosed on an 
ad hoc basis to Immigration, Refugees and Citizenship Canada (IRCC); refer to: Immigration Case File IRCC PPU 042, Royal | 
Canadian Mounted Police (RCMP); refer to: Criminal Operational Intelligence Records RCMP PPU 015 and Canadian 
iue bud a d pr reter to: Canadian ee Aer M Service E CU Records CSIS PPU 045 


| 
- 


Eri. EXIS). Personalised records wi ii be retained for 15 years and will then be destroyed unless a thay, are e required to 
support active and ongoing CBSA immigration enforcement investigations or it has been less than two years since the 
information was used to support an administrative decision. 


RDA Number: 2006/004 

Related Record Number: CBSA ENF 129 
TBS Registration: 20120435 

Bank Number: CBSA PPU 1202 
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The following signature represents a 

| commitment to comply with sections 4 to 8 of 
: the Privacy Act and the related privacy policy 

| requirements outlined in the CBSA PIA as they 


| Note: Responsibility for sections 4 to 8 of the Privacy 
| Act rests with all employees of government 
| institutions that handle personal information. Officials 


who manage such programs and activities are 
responsible for ensuring that such reguirements are 


implemented as part of the administration of the 


program or activity. 
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E————— 


The following signature represents a commitment 
by the Head of the institution or his/her 
delegate(s) who is responsible for establishing 
personal information banks in accordance with 
section 10 of the Privacy Act. 


id Privacy Director 


Signature of CBSA ATI 


Date 


Note: Under the Privacy Act, the Head or his/her 
delegate(s) is responsible for complying with legal anc 
relevant privacy policy requirements related to the 
approval and registration of personal information 
banks 
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x 


This table summarizes the privacy risks identified through the PIA process, and categorizes risk 
levels as low, moderate or high. Risks are expressed in terms of both likelihood of the risk 
occurring and the impact should it occur. The goal of privacy risk management is to identify and 
maintain privacy risks within acceptable bounds. The higher ratings provide an indication of 
priority areas for implementing suggested risk mitigation mechanisms or strategies. Although a 
number of mitigation strategies are discussed, some are posed as alternatives, and the 
implementation of all strategies is not necessarily required to address the specified privacy risks. 
The Elements listed below correspond with the "Canadian Standards Association Model Code 
for the Protection of Personal Information" (10 Fairness Principles) and the Beyond the Border 
Action Plan: Statement of Privacy Principles by the United States and Canada. 


Criteria for ranking are set as follows: 

e Low: There is a remote possibility that the risk will materialize and/or the impact of the 
risk to the program is minor. 

e Moderate: The possibility of the risk materializing is very low although the impact of 
such a risk is high, OR the possibility of the risk materializing is high but the impact of such 
a risk is minor, OR the impact and likelihood of the risk occurring are both determined to 
be moderate. 

e High: There is a near certainty that the risk will materialize if no corrective measures are 
taken and/or the impact of the risk on the program is severe. 
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Action Plan 


Moderate 


Onward | 
Disclosure (US — | 
Citizens) 


| At all times, the disclosure of all personal 

| information exchanged under the Entry/Exit 
| initiative will be protected through existing 

| privacy guidelines outlined in the Beyond the 
| Border Action Plan: Statement of Privacy 

| Principles by the United States and Canada 

| and will be governed by Canada and US 

| privacy laws. 
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| Federal Institution: mE B (CBSA) 


| 


| January 2017 


Related Class of Record Number: 


| CBSA ENF 123 - Criminal investigations 
Program 
CBSA ENF 130 — Immigration investigation 
CBSA PPU 035 — Intelligence Program 
CBSA PPU 1402 — Criminal investigations 
Program 


CBSA PPU 1403 — Immigration Investigations 
| Program 
Government Official Responsible for PIA: | Vice President, Operations Branch 
Delegate for section 10 of the Privacy Act: | ATI and Privacy Director 


The purpose of this PIA is to identify potential privacy risks related to the collection, use and disclosure 
of personal information shared between the Canada Border Services Agency (CBSA) and the Criminal 


intelligence Service of Canada (CISC) and the recommended strategies to mitigate potential privacy risks 


related to the collection, use and disclosure of personal information among partner agencies. 


Established in 1970, CISC's membership is comprised of nearly 400 law enforcement agencies and is 
administered under the stewardship of the Royal Canadian Mounted Police (RCMP). CISC's fundamental 
purpose is to facilitate the timely production and exchange of criminal intelligence information to the 
law enforcement community at the municipal, provincial, and federal levels. A limited number of 
investigators in police agencies use the information stored in ACIIS to support the detection, prevention, 
and disruption of serious and organized crime in Canada. 


The CBSA will disclose publically available court records related to customs and immigration offences 
into CISCs Automated Criminal Intelligence Information System (ACIIS) when there are reasonable 
grounds to believe the offence has a nexus to serious or organized crime. Partners will search this 
information using the Intelligence Information System (IIS) query tool to support a specific lawful 
investigation. Partners may also request additional information related to the publically available court 
records through the standard written request process currently outlined in the CBSA Policy on the 
Disclosure of Personal Information: Section 8 of the Privacy Act for immigration information and in the 
Policy on the Disclosure of Customs Information: Section 107 of the Customs Act for customs 
information. 


The CBSA's investigative bodies will collect personal information uploaded into ACHS by law 
enforcement agencies to support ongoing lawful investigations of customs and immigration-related 
offences with a nexus to serious and organized crime. Offences investigated under the Customs Act 
include secreting illicit goods in an attempt to smuggle controlled goods, such as weapons or narcotics, 
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Protection Act (IRPA) includes, but is not limited to, serious criminality (section 36) and for involvement l 

in organized crime (section 37) which may cause an individual to be inadmissible to Canada. In all ind 
circumstances where queries to the ACIIS yield a match, the CBSA must make a written request detailing 

the specific information the CBSA is seeking, the authority to request and use that information, and the 

offence the information will be used to investigate. In addition, the CBSA must limit the use of this 
information to the investigation of serious and organized crime and agree to abide by any restrictions 

imposed by the originating body, in accordance with s. 7(b) of the Privacy Act and the supporting CBSA 
Governance Model, 


The scope of this PIA is focused on the disclosure of publically available court records by the CBSA, the 
collection and use of personal information by the CBSA from the ACIIS using the Intelligence Information 
System (IIS) query tool, and the collection of additional data via a written request to the originating 
agency. 


ACHS is Canada's primary law enforcement database for organized crime. It contains sensitive financial, 
biometric, and biographic personal information as well as detailed descriptions related to suspects' 
criminal history, associations, and other sensitive personal information. The National Executive 
Committee (NEC) of the CISC will provide direct access to ACIIS unrestricted data to select members of 
the four CBSA investigative bodies (Inland Enforcement Division, Intelligence Operations and Analysis 
Division, Criminal Investigations Division, and National Security Screening Division). As a Category ll(a) 
member, the CBSA will be granted access to ACIIS, based on the Agency's responsibilities and legislative p 
mandate to support lawful investigations of serious and organized crime, but must submit a written 
request to the originating agency prior to any use of information collected from ACIIS. The CBSA intends 
to sign an MOU with CISC to further define each partner's responsibilities (see Annex G); however, 
personal information will be shared between the CBSA and provincial partners in accordance with long- 
standing Government of Canada MOUs. This new MOU will be supported by the CBSA Governance 
Model: Access and Use of the Automated Criminal Intelligence Information System (see Annex D) as well 
as associated Operational Bulletins (OB), Standard Operating Procedures (SOP) developed for each 
investigative body, and the ACIIS mandatory training. Taken together, CBSA officers of the four 
investigative bodies will be made aware of the acceptable uses and applicable restrictions, when 
collecting, using, and disclosing information under the CISC-CBSA information-sharing framework. 


The information shared under the CISC-CBSA information sharing framework must be directly related to 
serious and organized crime which poses a serious threat to the safety and security of Canada and may 
only be used to support a lawful investigation into these offences. Inclusion of an individual's personal 
information into the ACIIS directly links the individual or entity to serious or organized crime which may 
have serious consequences on their reputation, finances, or safety in the event of a privacy breach or 
misuse. Accordingly, the CBSA has implemented additional safeguards commensurate with the 
sensitivities described above in order to ensure that the terms defined in the MOU are respected. 
Information collected from the ACIIS is stored within closed systems of records within the custody and 
control of each CBSA investigative body. Both systems contain administrative safeguards such as access 
controls, tracking processes, and regular systems audits of user activity. A Governance Model provides 
details on the legal authorities, the ACIIS Third Party Rule, and the consistent use principle. Finally, use 
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of this framework will be limited to a very small group of employees within each of the four Investigative 
Bodies who will receive training on an ongoing basis. 


Four privacy risks have been identified in Section 6 of this PIA: 


The National Security Screening Division is not reflected in InfoSource. 

Existing Personal information Banks require updates to reflect the CBSA-CISC Information Sharing 
Framework. 

Threat and Risk Assessments have not yet been undertaken for all CBSA databases housing personal 
information collected from partner agencies. 

Record retention schedules for the CBSA databases described above have not yet been applied. 


Privacy risk mitigation strategies for each of the risks identified above can be found in the PIA Action 
Plan (Annex C) 
This PIA is designed to harmonize with the RCMP's Privacy Impact Assessment of the Automated 
Criminal Intelligence Information System (2016). 
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| ABBREVIATIONS AND ACRONYMS 


| CISC | Criminal Intelligence Service Canada — 
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| GOC | Government of Canada 


HQ “Heada uarters 


| Identifi cation 
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PIB : Personal Information Bank 
| STS be Secure Tracking System (CBSA) 


| VPN P Virtual Private Network | 
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| The end product of information that has been subjected to the intelligence 
i 


| Intelligence 
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| Organized: Crime 
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| The Aale ion a Plan describes the steps that the Program will take to address risks 
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purpose, even if the use is not spelled out. 
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| matching activities, use of the SIN and ail activities for which privacy impact | 
| assessments were conducted have to be cited in /nfo Source PIBs, as | 
| applicable. The /nfo Source publications also provide contact information for 
| alae ment institutions as well as summaries of court cases and statistics on 
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| that have been identified by ATI and Privacy Division, OPC and TBS. 


| The Privacy Act defines an "admi nistrative purpose" to bs ihe use of an 
| individual's personal information in a decision-making process that directly 
affects that individual. 


| The Gadveltiment Secüfity Policy (2002) defines “confi dentiality" to be the. 

| attribute that information must not be disclosed to unauthorized individuals, 
because of the resulting injury to national or other interests, with reference to 
specific provi sions of the Access to information. Act and the Privacy. Act. 


ls a use that has a reasonable and direct connection to he original purposefs } 
for which the information was obtained or compiled. This means that the | 
original purpose and the proposed purpose are so closely related that the | 
individual would expect that the information would be used for the consistent 


The Policy on Privacy Protection defines "data matching " as a comparison of 
personal data obtained from a variety of sources, including personal 
information banks, for the purpose of making decisions about the individuals 

to whom the data pertains. Data matching is a specialized activity involving 
the collection, use and disclosure of personal information that is subject to the 
various requirements of the Privacy Act. 


j 
ds a series of annual Treasury Board Secretariat publications i in x which | 
government institutions are required to describe their institutions, program 
responsibilities and information holdings, including PIBs and classes of personal 
information. The descriptions are to contain sufficient clarity and detail to 
facilitate the exercise of the right of access under the Privacy Act. Data- 


| process and reveals the scope and dimension of organized or serious crime, 
| and its direct or indi rect participants. 
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Information received or collected from CBSA officials, « or the publics or eter 


| external sources that contain allegations of contraventions or criminal offences - 
f ee or ih atic cena the various acts and legislation that protect | 
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is composed of three or more persons in or outside Canada; 


- has as one of its main purposes or main activities the facilitation or 
commission of one or more serious offenses that, if committed, would 
likely result in the direct or indirect receipt of a material benefit, 

À intluding: a financial benefit, by the group or by any of the persons - 


formation 
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ppp who constitute the group; and, 


- does not include a group of persons that forms randomly for the 
immediate commission of a f a single offence. 


Operational Bulletin - Updates about policy and procedural changes that impact front-line work 
| distributed through the CBSA Intranet. 


———— — ————— 
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| Personal Information | Information about an identifiable individual as defined in section 3 of the 
| Privacy Act. This definition, although lengthy, is not exhaustive, as indicated by 
the introductory phrase, "including, without restricting the generality of the 
foregoing". Information that is not specifically mentioned in the list may still 
be included in the definition of personal information if it qualifies as 
"information about an identifiable individual". 
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| Personal Information Bank | Is a description of personal information that is organized and retrievable by a 
| person's name or by an identifying number, symbol or other particular 
- assigned only to that person, The personal information described in the 
personal information bank has been used, is being used, or is available for an 
| administrative purpose and i is under the control of a government institution. 
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RTT —— —— 
i 


| Privacy | The Office of the Privacy Commissioner of Canada describes "privacy" as ^... 
| the right to control access to one's person and information about one's self. The 
| right to privacy means that individuals get to decide what and how much 
| information to give up, to whom it is given, and fer what uses." 


| 
| 
| 


“Third Party Rule | When a document is the property of an agency or department and should n not 

j be reclassified or disseminated without prior consent of the originator. The 

| information must be stored, transmitted, and safeguarded in accordance with 
_ its classification level, as outlined in the Government Security Policy and the 

| originator's security policies. If access is requested under the Access to 

| information Act or the Privacy Act, no decision should be taken without prior 
| consultation with the originator, as the information may be subject to 


| exemptions. | 
a aos m 


| Serious Crime | Offences defined under the Criminal Code with penalties of 5y years or more, or | 


| offences defined under the Immigration and Refugee Protection Act (IRPA) | 
| with penalties of 10 years or more. | 
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TION 1 - OVERVIE 


W AND INITIATION - 


1.1 Report Objectives 


This report is a Privacy Impact Assessment (PIA) on the disclosure of publicly available court information 
by the CBSA to the CISC, and the collection of serious or organized crime intelligence in the CISC's ACIIS 
system by CBSA investigative bodies. its objectives are to: 


review the business processes in order to identify the data flow of personal information; 
analyze the collection, use, disclosure and retention of personal information; 

determine if there are privacy risks associated with the CBSA-CISC information sharing; and, 
recommend strategies to mitigate or eliminate these risks. 


v + è ë 


The information presented in this report complies with all TBS policy requirements, particularly the 
Directive on Privacy impact Assessments. It reflects the state of the initiative in February 2017. 


Government Official Responsible for the Head of the government institution / Delegate for 
Privacy Impact Assessment section 10 of the Privacy Act 


Caroline Xavier Dan Proulx 
Vice-President, Operations Branch Director, Access to Information and Privacy Division 


1.3 Description of Program or Activity: 


Program Activity: Risk Assessment 


The Risk Assessment program "pushes the border out" by seeking to identify high-risk people, goods 
and conveyances as early as possible in the travel and trade continuum to prevent inadmissible people 
and goods from entering Canada. This benefits the travelling public and the trade community by 
enabling the Agency to focus its examination and interdiction activities on high-risk people and goods, 
thereby facilitating the entry of low-risk travellers and goods. The Agency uses a variety of threat and 
risk assessment methodologies, intelligence and supporting technologies to identify potential risks to 
the security and safety of people and goods. 


Sub-Activity: Intelligence 


The intelligence Program collects, analyzes and distributes actionable intelligence regarding 
people, goods, shipments or conveyances bound for or leaving Canada to help the CBSA and 
other law enforcement partners identify people, goods, shipments or conveyances that may be 
inadmissible or pose a threat to the security of Canada. CBSA officers located within Canada, at 
ports of embarkation or at posts abroad assess information collected from a wide range of 
sources. in addition, the CBSA provides timely, accurate, strategic, operational and tactical 
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intelligence advice to government authorities, like-minded counterpart nations and stakeholders 
related to threats to national security, including information on terrorism, weapons 1 
proliferation, war crimes, organized crime, smuggling, immigration fraud and irregular ie 
migration, fraudulent documentation and border enforcement. Intelligence products such as 
lookouts, alerts, scientific reports and threat and risk assessments inform, support and enhance 

the Agency's screening and targeting capabilities and other CBSA programs (such as 
Admissibility Determination, Criminal Investigations and Immigration Enforcement). A lookout is 
reliable, accurate and actionable intelligence on actual or suspected infractions or criminal 
activities that may result in the interception of inadmissible people. A lookout takes the form of 

an electronic file record. A lookout "hit" will “flag” or identify particular individuals, including 
corporations, and specific goods, conveyances or shipments. A lookout "hit" requires a 
mandatory referral to a secondary examination. 


The Security Screening Program is responsible for the security screening of foreign nationals 
who have been referred to the CBSA by an Immigration, Refugee and Citizenship Canada (IRCC) 
visa officer abroad or in Canada, who are seeking to come to Canada as a permanent resident, 
temporary resident (e.g. visitor) or refugee, or are already in Canada and seeking to remain as a 
temporary or permanent resident. 


The CBSA is responsible for ensuring that there are no security concerns related to the individual 
seeking entry to Canada (e.g. counter terrorism, counter espionage, war crimes, crimes against 
humanity and organized crime) and, based on a thorough screening exercise (including the 
review of information and intelligence from a wide variety of internal and external sources), 
makes a recommendation to IRCC on the admissibility of the individual. This program is also 
responsible for determining the admissibility of senior diplomats being posted to Ottawa to 
ensure that they meet the admissibility requirements of the Immigration and Refugee Protection 
Act. 


Program Activity: Criminal Investigations 


Under the Criminal investigations program, the CBSA protects the integrity of border-related legislation 
and contributes to public safety and Canada's economic security by investigating and pursuing the 
prosecution of travellers, importers, exporters and/or other persons who commit criminal offences in 
contravention of Canada's border-related legislation. 


CBSA investigators review potential border legislation violations and gather evidence using a variety of 
investigative techniques, including search warrants, production orders and digital forensic analysis. 
Act, various food, plant and animal legislations, and other border-related legislation. In conjunction with 
the Public Prosecution Service of Canada, the CBSA pursues the prosecution of individuals or business 
entities who violate Canada's border-related legislation. 


"immigration Enforcement 


t 


Program Activi 


The immigration Enforcement Program determines whether foreign nationals and permanent residents 
who are or may be inadmissible to Canada are identified and investigated, detained, monitored and/or 
removed from Canada. 


Foreign nationals and permanent residents of Canada believed to be inadmissible are investigated and 
may have a report written against them by a CBSA inland enforcement officer. Depending on the type 
of inadmissibility, the merits of the report are reviewed by either a Minister's Delegate or an 
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ependent decision maker at the Immigration and Refugee Board of Canada (IRB) where a CBSA 


hearings officer represents the Minister of Public Safety. Subsequent to this review, a removal order 


y be issued against the foreign national or permanent resident in question. Removal orders issued 


against refugee claimants are conditional and do not come into force until the claim against the removal 
order is abandoned, withdrawn or denied by the IRB. 


1.4 


Sub-Activity: immigration Investigations 


The Immigration Investigations Program investigates reports of, and arrests foreign nationals 
and permanent residents already in Canada who are or may be inadmissible to Canada as 
defined by the Immigration and Refugee Protection Act. 


Investigation techniques can include data analysis of information collected regarding an 
individual's immigration application, physical surveillance to locate fugitive inadmissible persons 
and field searches of residences and belongings for evidence. Depending on the type of 
inadmissibility and the status of the person in question, inadmissibility reports are reviewed by 
either a Minister's Delegate or the Immigration and Refugee Board of Canada. When a person 
fails to appear for an immigration proceeding such as an examination, admissibility hearing or 
removal interview, a warrant for their arrest may be issued. Warrants may also be issued 
against a foreign national or permanent resident where a CBSA inland enforcement officer has 
reasonable grounds to believe that they are inadmissibie to Canada. 


Classes of Records 


http//www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia-efvp/atip-aiprp/infosource-eng.html 


Intelligence Program 


Description: Describes records related to intelligence activities concerning individuals and entities 
that are of interest to the CBSA in connection to smuggling and contraband, irregular migration, 
immigration fraud, and inadmissibility and terrorism in support of CBSA's border enforcement 


mandate. 


Note: Records may be found in the following systems: the Intelligence Management System (IMS), 
the Support System for Intelligence (SSI), the Integrated Customs Enforcement System (ICES), the 
Field Operations Support System (FOSS), the National Case Management System (NCMS), the Global 
Case Management System (GCMS) and the Canadian Police Information Center (CPIC). 


Document Types: Policies, procedures, Operational Bulletins, National Directives, Alerts, Bulletins, 
Reports, Threat Assessments, charts, case files, Lookouts, operational and tactical intelligence 
analyses, screening aids, training strategies and course material, briefing material, question period 
cards, manuals, Memoranda of Understanding (MOU), Letters of Intent (LOI) and Written 
Collaborative Agreements (WCA). 


Record Number: CBSA ENF 1401 


Criminal Investigations Program 


s iG dos 


Description: Describes records related to the investigation of individuals and entities suspected of 
committing offences against Canada's border legislation, such as the Customs Act and/or the 
immigration and Refugee Protection Act (IRPA), and any subsequent or related prosecution. 
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Note: Records may be found in the following systems: Criminal investigations Information 
Management System (CIIMS), the Intelligence Management System (IMS), the Integrated Customs 
Enforcement System (ICES), the Field Operations Support System (FOSS), the National Case 
Management System (NCMS), the Global Case Management System (GCMS), the Automated Import 
Reference System (AIRS), the Accelerated Commercial Release Operations Support System (ACROSS) 
and the Canadian Police Information Center (CPIC). 


Document Types: Policies/Directives, procedures and functional guidance, manuals, strategies, 
budget/finance information, performance frameworks and metrics, statistics, training strategies and 
course material, business cases, Memoranda to Cabinet (MC), Treasury Board Submissions, 
Memoranda of Understanding (MOU), Written Collaborative Agreements (WCA), Letters of Intent 
(LOI), Production Orders, Search Warrants, Arrest Warrants, Forms (Charge Forms, Evidence Seizure 
Receipt, Notice of Ascertained Forfeiture, Statement of Goods Seized, Exhibit Control, Notice of 
Ascertained Forfeiture, Notice of Penalty Assessment, Notice to Crown Counsel), operational 
bulletins, plans and reports and briefing material. 


Record Number: CBSA ENF 123 


immigration Investigation Program 
Description: Describes records related to investigations into Foreign Nationals (FN) or Permanent 


Residents (PR) who may be inadmissible to Canada under the Immigration and Refugee Protection 
Act (IRPA). 


Note: Records may be found in the following systems: the Field Operations Support System (FOSS), 
the National Case Management System (NCMS) and the Canadian Police Information Center (CPIC). 


Document Types: Admissibility/Inadmissibility reports, forms (Vienna Convention Rights Form, 
Notice of Seizure, Notice of Arrest, Departure Order, Deportation Order, Exclusion Order), Warrants, 
case files, policies/directives, procedures, operational bulletins, manuals, discussion papers, 
Memoranda of Understanding (MOU), performance framework material, training strategies and 
course material, briefing notes, issue sheets and question period cards. 


Record Number: CBSA ENF 130 


The CBSA is currently revising the structure and content of its InfoSource Chapter. This compliance risk 
with the Access to Information Act has been identified in Section 6 - Summary of Analysis and 
Recommendations, below. 


1.5 Personal Information Banks 
http. //www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia-efvp/atip-aiprp/infosource-eng.html 


Intelligence Program: 
Description: This bank describes information that is about individuals suspected of involvement in 
contraband smuggling, money laundering, terrorist financing, immigration fraud, irregular migration, 
human smuggling and/or trafficking, terrorism, or other border related enforcement and security 
concerns. Also includes information on individuals suspected of being inadmissible to Canada. 
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Pa Personal information may include name, contact information, biographical information, biometric 
| information, citizenship status, credit information, criminal checks/history, date of birth, educational 

information, financial information, travel/identity documents, personal identification numbers, 
physical attributes, place of birth, signature, import/export information, customs infractions and/or 
seizures, traveller history and immigration violations. 
Note: In addition to the requirements specified on the Treasury Board of Canada Secretariat Personal 
Information Request form, individuals requesting information described by this bank must provide 
the incident and location. Personal Information may be stored in the following systems: the 
Intelligence Management System (IMS), the Support System for Intelligence (SSI), the Secure Tracking 
System (STS), the Integrated Customs Enforcement System (ICES), the National Case Management 
System (NCSM), the Field Operations Support System (FOSS), the Global Case Management System 
(GCMS) and the Canadian Police Information Center (CPIC). 
Class of Individuals: General Public. 
Purpose: Personal information is collected pursuant to the Customs Act, the Immigration and 
Refugee Protection Act (IRPA), the Customs Tariff, the Excise Act, the Excise Tax Act the Export & 
import Permits Act, the Controlled Drugs and Substances Act (CDSA) and the Proceeds of Crime 
{Money Laundering) & Terrorist Financing Act for the purposes of obtaining information on persons 
who are suspected of border related illegal activities, including contraband smuggling and 
immigration violations. 
Consistent Uses: The information may be disclosed internally to the CBSA Operations and Programs 
Branches for the purposes of enforcement, security, audit and evaluation, briefing senior 
management, and policy; procedural, and training devel opment. The information may be disclosed 

PN externally to &itizenship-and-imemigration-Canada-(CiC)Immigration, Refugees and Citizenship Canada 

| CREC), the Canadian security In ntelligence Service: e (CSIS) and the immigration and Refugee Board (IRB) 
for the purposes of administering and enforcing the Immigration and Refugee Protection Act (IRPAJ; 
refer to: immigration Case File CIC PPU 042, Canadian Security Intelligence Service Investigational 
Records CSIS PPU 045, Immigration Division Case Files IRB PPU 140, Health Canada for the purposes 
of administering and enforcing the Controlled Drugs and Substances Act (CDSA); refer to: 
inspectorate - Medical Devices HC PPU 405, Inspectorate - Natural Health Products HC PPU 406, 
inspectorate - Pharmaceutical Drugs HC PPU 407M, Inspectorate - Biologics & Radiopharmaceuticals 
HC PPU 408, the Public Prosecution Service of Canada and the Department of Justice (DOJ) for the 
purposes of prosecution and/or appeals; refer to: Prosecutions and Prosecution-Related Activities 
PPSC PPU 002, Prosecution and Related Criminal Matters JUS PPU 015, the Royal Canadian Mounted 
Police (RCMP} for the purposes of law enforcement; refer to: Operational Case Records RCMP PPU 
005 and Depertment-af-Foreign-Affairs,-Lrade-and-Developbment-(OFACLD-Global Affairs Canada(GAC) 
for the purposes of export control. The information may also be disclosed externally with various 
Foreign Governments subject to multilateral Treaties, Mutual Legal Assistance Treaties, or Written 
Collaborative Agreements (WCA), Interpol and municipal/provincial/territorial law enforcement 
agencies for the purposes law enforcement. 


Retention and Disposal Standards: Customs Information: Records will be retained for five years and 
then are destroyed; Immigration Information: Under Development 

RDA Number: Customs Information: 2000/033; Immigration Information: 2006/004 

Related Record Number: CBSA ENF 137, CBSA ENF 1401 

TBS Registration: 005187 

Bank Number: CBSA PPU 035 
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Criminal Investigations Program: 
Description: This bank describes information that is about individuals subject to criminal 
investigation by the CBSA. Personal information may include photographs, name, contact 
information, biographical information, biometric information, citizenship status, credit information, 
criminal checks/history, date of birth, date of death, educational information, financial information, 
personal identification numbers, physical attributes, place of birth, place of death, signature, 
identity/travel document, residence history, phone. records, computer records, caution flags, 
business records, import/export information, customs infractions and seizures, immigration 
violations and offences, travel history. 
Note: In addition to the requirements specified on the Treasury Board of Canada Secretariat Personal 
information Request form, individuals requesting information described by this bank must provide 
the incident and location. Personal information may be stored in the following systems: the Criminal 
Investigations Information System (CIIMS), the Intelligence Management System (IMS), the 

Integrated Customs Enforcement System (ICES), the Automated Import Reference System (AIRS), the 

Accelerated Commercial Release Operations Support System (ACROSS), the Field Operations Support 

System (FOSS), the Global Case Management System (GCMS), the National Case Management 

System (NCMS), the Secure Tracking System (STS) and the Canadian Police Information Centre (CPIC). 

Class of individuals: General Public. 

Purpose: Personal information is collected pursuant to the immigration and Refugee Protection Act 

(IRPA), the Customs Act, the Customs Tariff, the Excise Act, Export and Import Permits Act and the 

Criminal Code of Canada for the purposes of law enforcement. 

Consistent Uses: The information may be disclosed internally to the CBSA Operations Branch for the 

purposes of law enforcement, for purposes of detection, suppression and prevention of offences and 

for the purposes of quality assurance, evaluation, Program integrity and to brief senior management. 

The information may be disclosed externally to the Public Prosecution Service of Canada and the = 

Department of Justice (DOJ) for the purposes of prosecution and/or appeal purposes; refer to: 

Prosecutions and Prosecution-Related Activities PPSC PPU 002 and Prosecution and Related Criminal 

Matters JUS PPU 015, and to the Royal Canadian Mounted Police (RCMP) for the purposes of law 

enforcement; refer to: Operational Case Records RCMP PPU 005. The information may also be 

disclosed externally to Foreign Governments subject to multilateral Treaties or Written Collaborative 

Agreements (WCA), provincial attorney generals (crown attorneys), law enforcement bodies and 

detaining authorities for the purposes of law enforcement. information may also be disclosed 


biegen 


P 


externally to municipal/provincial/territorial law enforcement agencies and Interpol for the purpose 
of jaw enforcement. 


Retention and Disposal Standards: Customs Information: Records will be retained for seven five 
years and then are destroyed. immigration Information: Under Development. 

RDA Number: Customs information: 2000/033; Immigration Information: 2006/004 

Related Record Number: CBSA ENF 123 

TBS Registration: 20140079 

Bank Number: CBSA PPU 1402 


immigration Investigations Program: 
Description: This bank describes information that is used in support of the Immigration 
Investigations Program, including the management of immigration arrest warrants, the preparation 
and confirmation of inadmissibility reports, supporting material for inadmissibility hearings, 
detention reviews and Immigration Appeal Division appeal hearings from visa refusal decisions or 
removal orders. Personal information may include name, contact information, biographical 
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information, biometric information, citizenship status, credit information, criminal checks/history, 
date of birth, place of birth, educational information, financial information, physical attributes, 
employee personnel information, medical information, photos, signature, travel documentation, 
travel history and personal identification numbers. 

Note: In addition to the requirements specified on the Treasury Board of Canada Secretariat Personal 
Information Request form, individuals requesting information described by this bank must provide 


the immigration client identification number. Personal information may be stored in the following 


systems: the Field Operations Support System (FOSS), the Global Case Management System (GCMS), 
the National Case Management System (NCMS), the Secure Tracking System (STS), the Confirmation 
and Tracking System (CATS) and the Canadian Police Information Centre (CPIC). 

Class of Individuals: Foreign Nationals (FN) and Permanent Residents (PR). 

Purpose: Personal information is collected pursuant to the immigration and Refugee Protection Act 
(IRPA) for the purposes of the administration and enforcement of IRPA and related immigration 
legislation and regulations. 

Consistent Uses: The information may be disclosed internally with the CBSA Operations and 
Programs Branches for the purposes of enforcing the Immigration and Refugee Protection Act (IRPA), 
including the "Wanted by the CBSA" initiative, audit and evaluation, briefing senior management and 
policy, Se ue trai ining development, The information may be disclosed externally to 
Cimenship-and eration-Canada-(CiC) Immigration, Refugees and Citizenship Canada (RCC) for 


enforcement; refer to Operational Case Records RCMP PPU 005. The information may also be 
disclosed externally with various Foreign Governments subject to multilateral Treaties, Mutual Legal 
Assistance Treaties, or Written Collaborative Agreements (WCA) for the purposes of administering 
and enforcing immigration and citizenship laws. Information may also be disclosed externaily to 
municipal/provincial/territorial law enforcement agencies and Interpol for the purposes of 
immigration law enforcement. 


Retention and Disposal Standards: Under Development. 

RDA Number: Customs Information: 2000/033; Immigration Information: 2006/004 
Related Record Number: CBSA ENF 137, CBSA ENF 127, CBSA ENF 130 

TBS Registration: 20140077 

Bank Number: CBSA PPU 1403 


e CBSA vis ipw brine the structure and content of its i peo This bd dea a risk 


A QUA below. 


1.6 Legal Authority for Program or Activity: 


CBSA derives its authorities from the Canada Border Services Agency Act, its program legislation, and 
related legislation, including, but not limited to the following: 


. The Privacy à Act Fe 4) requires that no personal information may be collected by a government 
institution unless it relates directly to an operating program or activity of the institution. 
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e The Canada Border Services Agency Act (s. 5) provides the mandate of the CBSA as "providing 
integrated border services that support national security and public safety priorities" by (a) | 
supporting the administration or enforcement, or both, as the case may be, of the program ut 
legislation. 

o “Program Legislation", within the CBSA Act, is defined as "any other Act of Parliament, 
or any instrument made under it, or any part of such an Act or instrument" (a) "that the 
Governor in Council or Parliament authorizes the Minister, the Agency, the President, or 
an employee of the Agency to administer and enforce, including the Customs Act...[and] 
the Immigration and Refugee Protection Act." 

e The Canada Border Services Act (s. 9(2)) authorizes the President of the Agency to designate a 
person or class of persons as officers. 

+ The Immigration and Refugee Protection Act includes a number of grounds for inadmissibility for 
participating in or being a member of an organized crime group, including: 

Oo Serious Criminality (s.36) 
© Organized Criminality (s.37) 

e The Customs Act includes a number of offences which are commonly violated by organized 
crime units related to the illicit importation of goods, including: 

o Smuggling (s. 159) 


CISC Authority to Disclose Data to CBSA: 


e The Privacy Act (s. 8(2)) allows for personal information to be disclosed without the consent of 
the individual to whom it relates for the following purposes: 

o Consistent Use (8(2)(a]: when the purpose for which the CBSA would use the 
information is clearly and directly connected to the purpose for which it is collected. In 
the case of ACIIS, CISC must be satisfied that the CBSA will only use the information to bod 
further a lawful investigation in relation to organized crime. This consistent use is 
currently detailed in RCMP Personal Information Bank PPU 005: Operational Case 
Records. 

o Investigative Use (8(2)(e)); when an investigative body of the CBSA, specified by 
Schedule Il of the Privacy Regulations, has provided a written request to the originator 
detailing the law it is seeking to enforce or the lawful investigation it seeks to carry out 
and describes the information being requested. 

2 Schedule ll of the Privacy Regulations designates specific areas of the CBSA with 
"Investigative Body" status for the purpose of 8(2)(e): 
e Criminal Investigations Division, 
* inland Enforcement Division 
* intelligence & Targeting Operations Directorate 
* Schedule li of the Privacy Regulations does not include the National Security and 
Screening Division. 
= The Public Service Rearrangement and Transfer of Duties Act states that 
if a unit has the same powers, duties or functions of its predecessor 
unit, those powers, duties or functions are transferred to the new unit. 
This means that if the requesting unit is a legacy unit of one listed in the 
Privacy Regulations, then they are considered to have IBD status. 
+ The National Security Screening Division (NSSD) is a legacy unit of the 
intelligence & Targeting Operations Directorate currently listed in the 
Privacy Regulations and are considered to have IBD status. p 
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* The Privacy Act (s. 7(b)) requires that "personal information under the control of a government 
institution shall not..be used by the institution except..(b) for a purpose for which the 
information may be disclosed to the institution under s. 8(2)." 

O As articulated in the CBSA Governance Model, information may only be used for the 
purpose for which it was collected: to support lawful investigations into serious and 
organized crime. Any secondary use or disclosure requires a CBSA investigator to obtain 
a written consent from the originating party or request a disclosure under a different 
provision under s. 8(2) of the Privacy Act. 


e The Pier. Act (s. 69(2)) decides publically available information from the use (s.7) and 
disclosure (s.8) restrictions. Published court records are considered publically available by 
default unless the judiciary has imposed specific measures to prevent publication. 


CBSA Authority to Disclose Personal information upon Request: 


® The Privacy Act (s. 8(2)) allows for personal information to be disclosed without the consent of 
the individual to whom it relates for the following purposes: 

o (investigative Use (8(2)(e); when the requesting agency, listed in Schedule H of the 
Privacy Regulations, has provided a written request to the CBSA detailing the law it is 
seeking to enforce or the lawful investigation it seeks to carry out and describes the 
information to be disclosed. 

o Under an arrangement or agreement (s. 8(2Hf); when an arrangement or agreement is 
in place between the Government of Canada and a province and the information will be 
used to carry out a lawful investigation. 

"= The Government of Canada, represented by the Attorney General, has 
information sharing Memoranda of Understanding with the Attorney General of 
each province signed in 1982 to enable sharing of personal information. These 
arrangements do not contain the same privacy safeguards as found within 
contemporary CBSA MOUs. This has been identified as a privacy risk in section 6 
of the PIA. 

e The Customs Act (s. 107(5)(a}) permits the disclosure of customs information to a peace officer if 
the official who is disclosing the information has reasonable grounds to believe that the 
information relates to the alleged indictable offence and will be used in the investigation or 
prosecution of said offence. 


1.7 Summary of the Project, Initiative, or Change: 


The purpose of this PIA is to identify potential privacy risks related to the collection, use and disclosure 
of personal information shared between the Canada Border Services Agency (CBSA) and the Criminal 
Intelligence Service of Canada (CISC) and the recommended strategies to mitigate potential privacy risks 
related to the collection, use and disclosure of personal information among partner agencies. This 
project is scheduled for implementation in early 2017 upon signature of the CBSA-CISC Memorandum of 
Understanding (Annex GC). 
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The CBSA's investigative bodies will collect personal information from the Automated Criminal 
intelligence Information System (ACIIS), through the Intelligence Information System (IIS) query tool, to | 
support ongoing lawful investigations of customs and immigration-related offences with a nexus to = 
organized crime by directly accessing the ACIS. if relevant information is found, the CBSA officer must 
follow-up with the originating member agency, through a written request detailing the purpose of the 
investigation, to seek consent to use this information. The scope of this PIA is focused on information 

sharing between the CBSA and CISC. It does not examine the use of this information in the operational 

context of each Investigative Body, as this will be examined in PIAs specific to the function of each 
investigative body. The CBSA recognizes that it has a significant gap in its current PIA framework and 

has identified this as a privacy risk in Section 6 below. 


The CBSA will also share and maintain publically available court information relating to serious or 
organized crime (and the related CIIMS case number) with ACIIS partner agencies. Authorized CISC 
member law enforcement agencies may access this information within ACIIS and may provide a written 
request to the CBSA for additional information to support their own lawful investigations. The CBSA will 
evaluate each request on a case-by-case basis in accordance with the Policy on the Disclosure of 
Personal information: Section 8 of the Privacy Act or the Policy on the Disclosure of Customs Information: 
Section 107 of the Customs Act; depending on the type of information requested. 


ACIS is Canada's primary law enforcement database for serious and organized crime. It contains 
sensitive financial, biometric, and biographic personal information as well as detailed descriptions 
of the CISC will provide direct access to ACIIS unrestricted data to select officers within each of the 
CBSA's four investigative bodies (Inland Enforcement Division, Intelligence Operations Division, Criminal 
investigations Division, and National Security Screening Division). As a Category Ila) member, the CBSA 
has been granted access, based on the Agency's responsibilities and legislative mandate, conditional on 
the use of this data being limited to criminal information/intelligence concerning serious and/or 
organized crime in accordance with the ACIIS policy and Regulations and the governance framework. 
The CBSA has developed a Governance Model to act as an overview for officers to ensure that the 
Agency is supporting the CISC national strategy to combat serious and organized crime as well as abiding 
by its commitments under the CISC governance framework. The Governance Model will be 
supplemented by specific Operational Bulletins and/or Standard Operating Procedures to provide 
practical guidance to officers collecting, using, and disclosing personal information under the CBSA-CISC 
Information Sharing Framework. 


Four Part Test of Necessity, Effectiveness, Proportionality, and Minimal Privacy Intrusion 


Serious and organized criminal activity is a multi-faceted problem that poses a significant threat to 
public safety and negatively affects the daily lives of Canadians. Tied to illegal activities such as drug 
smuggling, money laundering, theft, and human trafficking, organized crime groups and individual actors 
have a violent and corrupting effect extending beyond any single jurisdiction. Beyond the immediate 
effect of the crimes themselves, organized crime entails a number of secondary effects such as greater 
costs for law enforcement, justice, and corrections as well as higher insurance premiums and banking 
fees. Many criminal organizations operate throughout Canada and across international boundaries, 


extremely difficult for isolated law enforcement to differentiate isolated acts by independent actors 
from coordinated operations by sophisticated organized crime groups. Information sharing amongst law 
enforcement agencies is a necessary tool to identify, intercept, and ultimately dismantle organized 
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crime groups by enabling an intelligence-led response to focus resources across multiple jurisdictions to 
target the leadership of these groups. 


Created in 1970, the CISC has a proven record demonstrating the effectiveness of information sharing 
among municipal, provincial, and federal law enforcement agencies. Previous national tactical 
strategies have focused on the dissolution of Outlaw Motorcycle Gangs, illicit offshore gambling 
enterprises, child pornography rings, and drug manufacturing/distribution groups. The CISC is effective 
at analysing and defining the problem to enable larger coordinating bodies, such as the Canadian 
Integrated Response to Organized Crime (CIROC) and the Canadian Association of Chiefs of Police 
(CACP), to commit resources at the strategic level to support tactical operations among partner 
organizations at the Federal, Provincial and Territorial levels. 


The CISC governance framework, as well the CBSA Governance Model, is designed to ensure that 
information contained within the ACIIS database is limited exclusively to persons or entities directly 
involved in serious organized crime. Each disclosing institution is responsible for identifying the 
reliability of the information, in accordance with regulation 7 of the CISC Regulations, and the CBSA 
Governance Model requires that secondary verifications be performed before any administrative action 
is taken. Moreover, each party is bound by restrictions to seek written authorization of the originating 
party before disclosing the information onward or using the information to investigate another crime. 
Information sharing on organized crime groups, and the resultant law enforcement efforts which may 
follow, is considered by the CBSA to be proportional because the violence, financial loss, and other 
negative societal effects caused by serious and organized crime overwhelmingly supersedes the 
reasonable expectation of privacy of individuals suspected of engaging in these activities. 

The CISC is designed in a privacy-sensitive manner by providing the minimal amount of personal 
information necessary to enable investigators and analysts to identify partners with relevant 
information and facilitate communication among these bodies. The originating body maintains the 
discretion for disclosing additional information upon receipt of a written request. The requesting 
partner remains bound by a strictly enforced "Third-Party Rule" regime to prevent the onward 
disclosure or secondary use of information without the consent of the originator. Finally, information 
sharing is among the least invasive tools within an investigator's toolkit. Validating the reliability of 
information amongst a larger pool of trusted partners, within the law enforcement community, prevents 
more invasive investigative techniques (such as electronic surveillance, physical monitoring, or 
infiltration by undercover officers) from being employed based on incomplete or inaccurate 
information. 


A number of risks have been identified in this Privacy Impact Assessment (PIA), as reflected in Section 6: 
Summary of Risks and Recommendations. CBSA Senior Management has acknowledged these risks and 
has developed an Action Plan to implement mitigation strategies for each risk. The CBSA expects that 
these mitigation strategies will be fully implemented in accordance with the commitments detailed in 
the PIA Action Plan (Annex C) 
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K AREA IDENTIFICATION AND CATEGORIZATION 


MT e mm mm NR RR. 


| 24 . Type of Initiative 
| 1.1 Initiative that does NOT involve a decision about an identifiable individual 1 


Personal information is used strictly for statistical / research or evaluations including mailing list 
where no decisions are made that directly have an impact on an identifiable individual. 


The Directive on PIA applies to administrative use of personal information. The Policy on Privacy 
Protection requires that government institutions establish an institutional Privacy Protocol for 
addressing non-administrative uses of personal information. 


| 2.2 Administration of Programs / Activity and Services 


Personal information is used to make decisions that directly affect the individual (i.e. determining | 
eligibility for programs including authentication for accessing programs/services, administering | 
program payments, overpayments, or support to clients, issuing or denial of permits/licenses, 
processing appeals, etc.) 


24.3 Compliance / Regulatory investigations and enforcement | ]3 

| Personal information is used for purposes of detecting fraud or investigating possible abuses within | 

programs where the consequences are administrative in nature (i.e. a fine, discontinuation of 

| benefits, audit of personal income tax file or deportation in cases where national security and/or 
criminal enforcement is not an issue). 


(2.4 Criminal investigation and enforcement / National Security LX} 4 


Personai information is used for investigations and enforcement in a criminal context (i.e. decisions 
may lead to criminal charges/sanctions or deportation for reasons of national security or criminal | 
enforcement). ee 


criminal prosecution or removal from Canada. 


REGIMINI MUI MEDI Ee eee 


from the individual or provided with the consent of the individual for disclosure 
under an authorized program. 


| 2.1 Only personal information, with no contextual sensitivities, collected directly 


| 2.2 Personal information, with no contextual sensitivities after the time of collection, 
| provided by the individual with consent to also use personal information held by 
another source. 


2.3 Social Insurance Number, medical, financial or other sensitive personal 
i information and/or the context surrounding the personal information is sensitive. 
Personal information of minors or incompetent individuals or involving a 


i 

| representative acting on behalf of the individual. | 

24 Sensitive personal information, including detailed profiles, allegations or | 
suspicions, bodily samples and/or the context surrounding the personal : 
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33 With other or a combination of federal/ provincial and/or municipal 
government(s} 


.3.4 Private sector organizations or international organizations or foreign 
Ru 


ee ner ne ERR ERR LA ADP A RAS RAA AA ll imme ne m ND NINANA NN EEN D ER REA A RON AER EE RAR RA AA AAA 


time initiative 


Typically involves offering a one-time support measure in the form of a grant payment as a social 
support mechanism. 


4.2 Short-term program 


An initiative that supports a short- term Boal with an established ' "sunset" date. 


4,3 Long-term program 


_ Existing program that has been modi edo oris ai with no clear “sunset”. 
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6.1 Does the new or modified initiative e involve the implementation of a new electronic _ Yes ur 
system, software or application program including collaborative software {or | 
groupware) that is implemented to support the initiative in terms of the creation, 
collection or handling of personal information? 


6.2 Does the new or modified ini Hate require any modifications to IT legacy systems and No 
/ or services? - 


.6.3 Does the new or modified initiative involve the implementation ofoneormoreofthe = = 
following technologies: | 


6.3.1 Enhanced identification mathode: . No 
This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint 
analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass 
technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. 
identification cards that are embedded with either an antenna or a contact pad that is 
connected to a microprocessor and a memory chip or only a memory chip with non- 
programmable logic). 


6.3.2 Use of Surveillance: 
This includes surveillance technologies such as audio/video recording devices, thermal 
imaging, recognition devices, RFID, surreptitious surveillance / interception, computer 
aided monitoring including audit trails, satellite surveillance etc. 


6.3.3 Use of automated personal information analysis, personal information matching . No 
and knowledge discovery techniques: : 
For the purposes of the Directive on PIA, this includes activities that involve the use of 
automated technology to analyze, create, compare, cull, identify or extract persona! 
information elements. Such activities would include personal information matching, record - 
linkage, personal information mining, personal information comparison, knowledge 2 
discovery, information filtering or analysis. Such activities invoive some form of artificial 
intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns 
or to predict behaviour. 


7.1 The pecie information is used within a closed system. [11 


No connections to internet, Intranet or any other system. Circulation of hardcopy documents is 
controlled. 


7.2 The personal informati ion is used in system that has connections to at least one other | [ ]2 
system. 


7.3 The personal information is needs portable device or is printed. 3 
USB key, cD- ROM, laptop computer, any transfer of the personal information to a different medium. 


| Details: CBSA investi igators will access the ACIIS system via the IS; interface over a secure | VPN incorporatiog PKI 


: cryptography from authorized 3 workstations | in secure CBSA locations across Canada. 
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$4 Managerial harm. 


Processes must be reviewed, tocis must be changed, change in provider / member. 


| 8.2 Organizational harm. O2 


Changes to the organizational structure, changes to the organizations decision-making structure, 
changes to the distribution of responsibilities and accountabilities, changes to the program activity 
architecture, departure of employees, reallocation of HR resources. 


8.3 Financial harm. | L]3 


Lawsuit, additional moneys required reallocation of financial resources. 


8.4 Reputation harm, embarrassment, loss of credibility. [14 
Decreased confidence by the public, elected officials under the spotlight, institution strategic outcome 
compromised, government priority compromised, impact on the Government of Canada Outcome 
areas. 


Seen 


9.3 Fina ncial harm. 3 


94 e harm. | E 
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104 Matiagerial harm. 


Processes must be reviewed, tools must be changed, change in provider / member. 


10.2 Organizational harm. 
Changes to the organizational structure, changes to the organizations decision-making structure, 
changes to the distribution of responsibilities and accountabilities, changes to the program activity 
architecture, departu re of employees, reallocation of HR resources. 


10.3 Financial harm. 
| Lawsuit, additional moneys required reallocation of financial resources. 


10.4 Reputation harm, embarrassment, loss of credibility. - : x4 


Decreased confidence by the public, elected officiais under the spotlight, institution strategic outcome 
compromised, ‘government prior ity compromised, impact on the Government of Canada Outcome areas. 


RS E ERIC diii n T TIT AAA I SSE Utente HTTP Peer inea sharin n AMAA AMAARAAMAT 


Detalls: If data disc losed from the CISC’s ACIIS ¢ database to CBSA investigative bodies i is breached, the D Director 
- General, CISC or Executive Committee may suspend or revoke access to o Adi 5 9 membership in in oO in n accordance 


10. 1 Inconvenience. E " 
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| SECTION 3 - ANALYSIS OF PERSONAL INFORMATION ELEMENTS 


1. CBSA Data to be uploaded to ACIIS: 


Element .Sub-Hement ^ | Format | - Purpose / Necessity | 


ee ne Fae une SOUT NES NNNM NOONE? mon a pene 


Entity first name | Entity first name | E 


a _ Category 


Meine cruel NL a EINO EEEN AONAR A AR Een 


AAA AR AAA AAA RAR AAA AAA AAA AAA REED SR SD AAAA PROS DES RSR SNS dd A RL UD i LU e cod 
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i E i . 
——————— THEE eee ESQ ——————— nn SIRE RAR REET RET NUNG EISE SURE IRAE S CE E CNN ——P———————————— ————— SPORE UNE SR ERR ENARRARE IRRRURIRURRUEP ane en 


2 | Biographical. Entity second r name =. Entity second name : E |! To identify | individuals i in the C cums S system 


3 Biographi cal | Entity name | Entity name : E | To identify individuals i in ^ the CIIMS system 


PR 


————————— — —^A—X—— — — — 


PETER AAA AAA AAA 


| 4 Biographi cal - Date of Birth I! Day, month, | year : E -— To identify individuals i in the CIIMS system | | 


i d 
Aa AENEA SIUE NEUE, ees teeta NO E CETTE iii iinet iii nn nnn tte NNT 
i 


had d AI e e iid iii 


A RB BN BN I NN NN NS NN NN NP NS Ce edd 


i 
SES Ee DD e RN Rh P t RR P RN NH Ohh t S Mee teet eter elutee te IM ee EMI EIUM eSI ASAA AAAA AAAA. 


NE Data concluded 


6 | | Criminal History | To identify when the enforcement action 


5 | Criminal History Date charges laid - + NA | E | To describe criminal history 
| | concluded 


sod A  —————————M—— 


Criminal History — - Results | NA | E — | To describe results of trial 


APPIAN NÉS e ufa (€ T: A APA 


IE Criminal History | Sentence | NA E |To describe the sentence handed down: " 


8 
9 | Investigation | CIMS Case Number 


ue H 
Eds 


10 | | Investigation Association with | NA N/A | | To conform to File Entry Criteria, as defined “Connection with organized crime | 
| Organized Crime | | in part F of CISC Regulations created by inference based on 


inclusion i in ACIS - 
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Element e Sub- Element | Format | Purpose À Necessity | 
i o ee pue Un E UE IEEE ee UT NIU MEO 
Surname | E | To ; identify individual in support of a lawful | 
| | b. investigation 
| Given names E | To identify individual i in vstmpnoré ots a lawful 
E | | investigation 
Aliases E E To identify dividual í in support of a lawful 
| investigation 


| Date of birth E | To identify individual i in supports ofa a lawl 


investigation 


Day, month, year 


To identify individual i in support of a lawful 
investigation 


LOM eu eue a a ree Race E e eR A t TEE "ea ea alate ee eae ule euim uu omoi viuo noui nr o ——— MR a E a RA AB RR ARA RANA SR NNI P Stt einn uu e ES 


To identify individual i in support of a "uer 
investigation 


p 
| To identify individual in support of a lewhil Race assists to identify 
| investigation person(s). The CBSA encounters 

many persons arriving at | 
Canada’s ports of entry. 


Ree m RR RR e ERR RR A A COC RAR RA RAA AA AA a aa AA a a PASSING NT E P STINT SEES 


i 
f 
| 


— P NUR NR NNI NEU ac Lum C c 
| Hair Colour, length, | To identify Individual in in support of a lawful 


Physical 


| Descriptors style | investigation 
ee VENERE | ji | NENNEN NNNM 
| Physical Eye glou | Colour (e.g: Blue) | E | | To identify in individuali in isapport of a lawful 

| Descriptors : | | | investigation | 


a ae + "EE TEE. MM NEN ERE 
Facial hair | style las g aoa | E To identify individual i in support tof: a lawful | | 


| 10 | Physical 
| | investi gati On | 
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| Physical 


HESCH PIONS: 


ee = ii 


12 
Descriptors 


Physical Height 


Physical Weight 


| Descriptors | 


EE EE aD 


Biographical Marital s status 


14 


f 


H 


PT — | Descent 
Duden naim: NON o te ce 
i 
16 | Biographical | Date deceased 
| | 


Biographical Employment 


[ERR 
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| African, Arab, 
: Canadian, 


| Caribbean, 


| Estonian, etc. 
| 


NER BEBE AM MARBRE, 


AAA MAR 


eer 


| Spouse n not —— M 
| | they are suspected of 
| involvement or complicity in 


| investigation | 


| To identify individual w with mm associativ 
| ties to primary suspect 


ER 


To o identify individual i in Sema of a lawfid 
investigation 


pe 


To establish associative ties for descent-based | 
organized. crime groups 


H 
NP PEN EU PES ttt ttt dett ttt tt t e tt Att TEPEN 


To Identi fy i individual in n of a lawful 
investigation 

To close investigations against deceased 
individuals 


To support a will investigation as a 
reflection of subject’s legitimate means of 
income 

To support a lawful investigation to locate an 
individual 


| Purpose I Necessity - | Notes | 
en | 
D T ea dd UA As ACO cesse ge DONNER ad a Pl M en AT f 
: E | To identify individual in support of a lawful : 
| investigation | | 
conne ee NAS ANR ANR E ane ER d - UNIO oi La Re ot M te en 
| E | To identify individual in support ara lawful | 
D investigation | 
E | To o identify individual in support of a lawful | 


| primary suspect's illegal 
| activities. 


| Gescenti isa Bus: digit code 


| which refers to the heritage or 
| ethnicity of the subject. There 
| are 50 descent codes. 


Date derent "me applies for 
individuals who have been dead 
for less than twenty years, in | 
accordance with 3(m) of the 
Pec d Act. 


May be used as a comparison 
against individuals lifestyle and 
spending habits to indicate | 
presence of illicit source of funds. 
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Biometric | Finger Print Serial 


| Loc] criminal retata à no. 


€—————Ó 


PROTECTED B | PIA 


tp ——————— 
| Sub-Element - d Format | Purpose / ‘Necessity | Notes 
| | To support a lawful investigation if employing | 
| | entity is involved as an n organized crime entity : 
coer | MU EIE NERIS. K EERSTE SRST snob vig obscenities PE MR HOS od oS URN NER RE ines Sin aa ee S M Fe M M E M ME 
| E | To support a lawful investigation into | 


individuals or entities communicating in | 
Chinese characters | 
This element may be collected: " ha CBSA Finger Print Serial numbers are 
from ACIS if it supports a lawful investigation | available in the Canadian Police | 
to help confirm the identity of the subject. Information Centre. The | 
collection of this information 
supports the confirmation of a | 


person's identity. 


To identify individual in opor ot a lawful 
investigation 


| body and expedite retrieval of associated 
| record 


| 
To facilitate written request to originating 
| 


| | 
reflection of subject's legitimate means of — | 


E | To support a lawful investigation asa 
income 


| i 
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mnt z oo | = OO 00 RE 
| Biographical Scope? phere of p E To support lawful ee to PORE 
| influence od dii ial and social influence on others 


a eat ete oe ee ee eee ence een eu nue ie iua iu n an ——P EE 


—1 Clothing fraquentivw worn | - E | To identify an individual subject to a wl. | May be used as a comparison 
| | investigation in the field | against individual's lifestyle and 


| To support a lawful investigation as a spending habits to indicate 

| reflection of subjects legitimate means of ^ Presence of illicit source of 

| income funds. Some criminal 

| | organizations wear clothing 

| representing allegiance to the 
| group ~ outlaw motorcycle 

| gangs or street gangs. 


I ————— RER ah ee nae IQQ en ttle TEE NN RAA EAE 


oo 
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24 | | Nationality | Place of birth 


E 3 To o identify individual in support of a awful 
: este 


organized crime groups | 
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25 | Biographical | Base | City 


: To identify related entities within individual S | Geo-code assigned to 
sphere of influence | individual's city of operation. 


To support a lawful investigation to locate a | 
subj ject | 


: 26 physical Physical characteristics Scars, tattoos, | k To identify individual in support of a Ew 
| ' Characteristics | piercings | | investigation 
| | , | To establish membership in a group based on 
| 2 | | : | distinctive markings 
-————— PEE EE ee an 


| 27 | | Biograph cal Languages spoken | | E |To identify individual in support of a lawful T— | 
| 


| investigation 


! : | To establish associative ties for descent-based - 
| : eas SiP eats | 
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34 | Criminal History - 


: Telecomm info 


Telecomm info 


PROTECTED B 


t mt tmt mmm tmm mmm mtn 


Credit cards, etc. 


Suspect, charged, 


person of interest, 
gang member, 
deceased person 


Description 


E To identify individual in support of a lawful 


PIA 


To identify a an individual in support of a lawful at | 
investigation 


E To establish associative ties for descent- Ve 
| kas crime groups. | 


E | To identify individual i in support of a — 
Investigation 


E | To identify individual in support of a lawful 
investigation 


| Actlvity/tunetion/eommodity to 
| describe the suspected or 
| confirmed criminal activity 
a ———— ne — 
E To a deia an n indbáiuaf' in — of a lawful | 
investigation 


E To establish membership in an organized 
i crime group 


| To tailor investigative technique based on 
| proximity and ranking iiam a igroup 


investigation 


To facilitate electronic surveillance, if 
required 


To identify individual in support of a lawful 
bru od 
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Category - Ex Element Format | Purpose / Necessity - | 
B : required | 
— eT BE E li apr. à ean! Pe See 


2 Telecomm info | E | To identify individual in support of a lawta 


i investigation 


To facilitate electronic surveillance, if 
| required 


—— 
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38 Contact Telecomm info | Area code | E To identify indicidusi in support of a lawful 
: | investigation 
| | | To facilitate electronic surveillance, if 
required 
i pum | Contact Telecomm info Telephone E To identify individual in support of a lawful 
| number investigation 
| | | To facilitate electronic surveillance, if 
| 2 - required 


Fo identify individual i in nu ofa wil 


| 40 Contact | Telecomm info Extension | E 
| | investigation 


| | | : | | To facilitate electronic surveillance, if 
| required 


MMMee ee eee Defoe en DeA eue ein ttt ttt t t AAA BUSES TUS de eie ee eei 


Contact Telecomm info 


| File number | E l 


E | 
1 
1 
1 
1 
3 
E 
1 


| To facilitate electronic surveillance, if 
| ee 


RTS ROSES RTE RO TOR AL ARR AR E ERR ARA E S FORT REPONSES TETE TESTS TE TEE ttt PER ET ET PRES TERRES ——— M— TOUS 


-Telecomm info | | Base | E To identify in individual à in support tof: 8 lawful 
; investigation 


To identify individual in support of a lawful 
investigation 


| 42 | Contact 


| - | To facilitate electronic surveillance, if 
| - : | required | 


To support a lawful investigation to locate a 
subject 
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telecomm object 
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Element - -Sub- Element 


| Telecaram: info 


— er nn M tutt 


| Format 


H 
Contact | Telecomm info 


Contact | Telecomm info. 


nene nee ne 


| Investigation - 


memini erit 


Concealment 
method 


a t AA Pete ou e utu mue imde eicere iniiai, 


| Transport data 


| 


Investigation - 


Investigation | 
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Com modity type 
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| To facilitate electronic surveillance, if 
| | requiren 


| To identity type of illicit activity 


| PIA 


To identify individual i in — ap: a idw 
investigation 


CMT E 


E RRRPPPPPPRPPRERI 


To facilitate dlectronit surveillance, if 


required. object 


Type of commodity associated - 
with object 


To identify in individual in support of a "—- 
investigation 

To facilitate electronic surveillance, if 
required 

To o identity type ot ilicit activity: 
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Commodity type person was 
| transporting 


To 'o identify individual in support at; a i; lil 
investigation 
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To identify individual in support of a lawful 
investigation 
To [e uentifym new concealment oa 
| To support a per investigation tolocatea | 
| subject - | 
—— MM Mise wes uA Nas iM 
| fo Ups: a a lawhül investigation tolocatea | 
su subject. | 


To sion a lawful M as à 
reflection of subject's legitimate means of 
income 


| May be used as a comparison 

| against individual's lifestyle and 

| spending habits to indicate 
presence of illicit source of 
funds 
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a EE EE EE ERES mt 


i t H 
i H H 
H H i 
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Trans port data | Val date | E To support a a RUE nets to confirm | Confirms ownership of. transport 


AR RA P d VENTE A A A AR SESS, 


: identity locations of transportation vehicles. M | vehicles. 


: - : subject p condit tion of the e commodity | 
| table : p | subject c carrying the e comedy 


he 
| 
| 


| To support a lawful investigation if another 
| entity is involved in organized crime activity 


E | E 
$ RTLS na nn AES i i $ 
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investigation _ Transport data Activity | £ | To identify criminal activity in support of a Description of criminal activity 
| - | lawful investigation - i suspected or confirmed 


/————— 3 A neges ————— €———— ME t te RR t AAMEN EAEAN A RR eA Rh RR P PB AR RANA AA AAT 


| Transport data | Type T E | | To identify entity in support MH a lawful | Identifying numbers associated 
| : investigation (to the i d 


Ea eaa aa a a aa D —————————————————— veedeenennerenmeneeeemnnneeeemeneeseseeeeeeseerecer ec ANA Ph NS tst t e NS etn APR A ATP NI ANN PIS tt 


56. “Investigation | Transport data | Transport | € | Tc identify entity EE acme desde support 
a | method E | of a lawful investi igation 


Miete ce D c AAAA AAA NAA NA RP RN ANTI AN A ISIN RS ARIAT MNT LATTE NEE TT a a 


57 Investigation | Transport data E Commodity - | E | To p identify he snathaa dof il licit 


| description : | | goods 


58 | Investigation 
| | investigation 


Vehicle data VIN, PIN, HIN E | To identify entity in su "m— tof a mena 
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_ Purpose / Necessity Notes 


To identify entity in support of a lawful 
investigation 
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“Vehicle data To ere er in support of a m e.g.. 2 door 


| investigation 


ENR NRTA BERTI ES Hr III SARA AAA AAA a ae ata 


To identify entity in support of a lawful 
investigation | 


| 64 | Investigation | Vehicle data Issued EE E | To identify entity in in support tofi à | lawful | | Location of. registration | 
| | | investigation | 
(65. | Investigation EE | Vehicle data Colour To identify entity in nsupport "" p] 
| investigation | 


ER POOLE tt ttti tuu eiiim t ttt ttt M PARRA MAMMA. 


| To locate individual in su da Bb a lawful | Where vehicle i Is s operated 
investigation | 


| Investigation Vehicle data Base 


1 
1 
m 


Vett 


LU 


| 67 | Investigation : Vehicle data 


Niay bin used as a comparison 
against individual's lifestyle and 
spending habits to indicate 
presence of illicit source of 

| funds 


| Net worth - To support a lawful investigation as a 


| reflection of subject's legitimate means of 
| income 
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Category Element Sub-E lement a Format ! Purpose / Necessity - Notes 
d pi ‘reflection of subject’s legitimate means sof against i indi ividual's lifestyle and || 
i income spending habits to indicate 


presence of illicit source of 


| To determine expiration of Net Worth data 
funds 


| element authenticity 


——  ÓÁ—— ————ÁÓ——Á—————— — —————— A D («« 


| 69 | Investigation : Vehicle data | License plate alias | E Any other license plates 


associated with this vehicle 


| To identify entity in support ofa lawful 
| | | investigation - 


Criminal activity associated with - 


To identify involvement of Fentity à in ceed of 
this vehicle 


‘Investigation | Vehicle data | Activity 
: a à lawful investigation. 


| 
|n 


| 71 Investigation | Vehicle data | Commodity 


Article of c commerce or item of 
business relating to a criminal 
| interest 


To Identify: involvement tof entity i in support " 
a lawful investigation 


"——————————————— —————— 


H E 
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m Investigation | Vehicle data | Alias Vehicle 


To identify entity in support of a lawful | Aircraft only 


| Name | investigation 
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73 2 alaton | Vehicle data 


i 
| | Length E To identify entis in ^ Support " à pe | Watercraft only 
| | : | investigation 
| 
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74 | Investigation Vehicle data Beam To identify entity in support of a lawful 


| 75 | investigation Vehi cle data Tonnage = To identify "—— in — ais ai wol "Watercraft only 


| investigation 


| To provide context of previous actions in 
support an ongoing awful investigation: 


ste. = —————— S 


76 | investi igation 


77 | Investigation | | File ref. documents To provide context of previous actions in : 
| “SUPRON A! an h ongoing lawful investigation | 
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| | | Category | ü i" Element is b Sub-Element | Format | 


| 78 | Investigation | File ref. documents. | E | To d provide context of previous actions in 
l | support an ongoing lawful Investigation 


MM AAAA TT I DE PDE LOL PEELE PSEC SEES EES TESTESSESSEESEEREEREUI RS DDR RSR SERRES AARAA, 


| | 
“Investigation | | File ref. documents | £ To provide context of previous actions in 


support an ongoing lawful Investigation. 
a aa a monet nnn "—— — —— """"———————— 


To provide context of previous actions in 


support an ongoing f lawful Al investigation 
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To Bravide context at's previous actions in | 
| Support: an rango ng kawul hvestigapion 


NARA B RR NA NN Ne e Ph SOS TESTS SES ST ST TE ETES TRE RAR RER RTE 


| To provide context of previous actions in 
support an ongoing lawful investigation 


| Investigation File ref. documents 


AAA AAA AMAR MA rires D, LME Lite een RER = ARP: ARP 


To provide context of previous actions in 
| Supporta an n ongoing awful investigation 


4 
3 
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84 Investigation | File ref. documents 


aa aaa wi ——— mE oP 


by 


| | Support an ongoing. lawful investigation 


| 86 | Investigation | | File ref. documents 


| Photogra phs E To identify an ind ividual i in support of an 


| | | | ongoing lawful investigation 
| | | To provide context of previous actions in : 
| = support an ongoing lawful investigation | 


: e.g. maps, handwritten notes, 


To esie context of previous actions in 
drawings 


THERE an ongoing lawful westigation 


| To provide context of previous actions in 
| supporta an nongoing awful ESG 
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à III 


| Purpose / Necessity 


To provida context of previous actions in 
| | Supper an ongoing lawful investigation 


E | This element may be collected by the CBSA 
| | | from ACIIS if it supports a lawful investigation. | | 


90 | Investigation | File ref. documents 


| Information collected will identify individuals 
: - | | involved in transnational serious and/or 
: | | | organized crime 


91 “Investigation File ref. documents - Other documents LUE | | To provide context tofp a actions in Documents/information 


| i non-police agencies. 


Mn RR KO RO RR RR RR ARR AA AAA A RAA RAA ARA. — 3 a MM MEAM AE aa a mR | 


92 : Investigation Misc. documents : Location, | E | To provide context of previous actions in 


: : Organization / | | support an ongoing lawful investigation 
| ; Business, Project, | 


| 
| : Association, 
| : Graphical object 
| (link chart) 


: 
H 
i 
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4,1 Data Flow Model 
Legend: 
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Scope of PIA 


Manual Process 


Automated Process | Optional Process 
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CBSA Disclosure 
to ACIIS 
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| CBSA collects dete in the. jo fem. i 
i course of a awful investigation yq oi 22 
NN m Requesting Agency submits d (Po 70 — ER Cw 
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1. CBSA Criminal Investigations Division (CID) wili collect court records related to investigations of serious 
or organized crime undertaken by the CBSA from publically available sources (see s. 3 1.CBSA Data to be 
uploaded to ACIIS). Records are stored in the Criminal Investigations information Management System 
(CIIMS) within the relevant investigative case file. CID will review each record to ensure each court record 
directly relates to seríous or organized crime before it is uploaded into ACIIS. 


2. The Requesting Agency wil! query the IIS tool of the ACIIS system to obtain information to support a 
lawful investigation. The IIS query tool will retrieve any potential matches to the information queried by 


the Requesting Agency, prompting additional information requests to the CBSA for additional 
information. 


3. If the match is negative, no further action will be taken. 
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om. 4. If the match is positive, the originating body will make a written request to the relevant CBSA 
| investigative Body. The CBSA Investigative Body will evaluate the request and must impose the ACHS 
Third Party rule caveat on the onward use or disclosure of the information. If the Requesting Agency is an 
Investigative Body listed in Schedule Il of the Privacy Regulations, the CBSA will disclose this information 
under s. 8(2}{e) of the Privacy Act. If the Requesting Agency is a law enforcement agency at the Provincial 
level, this information will be disclosed under s. 8(2)(f} of the Privacy Act in accordance with the 
applicable MOU. Publically available court records are excluded from s. 7 and s. 8 of the Privacy Act as a 
result of s. 69(2) of the Privacy Act. However, the CBSA has chosen to seek valid authorities under s. 8(2) 
in anticipation of expanding the list of data elements beyond publically available court records. 
5. The Requesting Agency will continue with their investigation. If the Requesting Agency requires 
additional information, they may choose to make a follow-up request through normal information sharing 
channels outside the scope of this PIA. 
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1. A Criminal investigations Officer queries IIS to obtain information which supports prosecutions of a 
person(s) who is believed to have committed criminal offences against border legislation and may be 
involved in serious and/or organized crime activities. 


2. If the IIS search results in a negative match, no further queries will be made in the system for this 
investigation. 


3. if the HS search results in a positive match for the person queried, the Criminal Investigations 
Officer does not use the data in any capacity. The officer collects the contributing police agency's 
contact details for the purposes of making a formal request to use the information in support of 
the CBSA investigation of a border crime. 


4. Awritten request is submitted by the CBSA under section 8{2}{e) or (f) of the Privacy Act to the police 
agency. The request will detail the purpose for which the CBSA will use the information; authority to 
request and use the information; legislation(s) that will be enforced; and, notify the contributing 


police agency that the information may be shared internally within the CBSA. 


a. if the contributing police agency denies the CBSA request for information, CBSA continues 
with the investigation. 

b. if the contributing police agency approves CBSA request for use of the information, a written 
response is provided which may include additional caveats for the purpose and the scope for 
which the information can be used. 


5. The Criminal Investigations Officer receives the information requested, in an electronic or paper 
format, which is entered into CIIMS. Caveats are also detailed advising that the information is “Third 
Party information" and cannot be used for any other purpose other than the original intent for which 
it was disclosed to the CBSA. 


6. The Criminal Investigations Officer uses the information to support CBSA investigation of a specific 
border related offence for prosecution purposes. 
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anms a. The Criminal investigations Division may make a subsequent request to the contributing 

| | police agency seeking additional details which may not have been provided in the original 
disclosure; or, request permission to use the information for a secondary purpose 
supporting the administration and enforcement of a border related crime. 


7. The information may be disclosed to the Public Prosecutions Services of Canada to pursue 
prosecutions of a person(s) who commit criminal offences against border legislation. This type of 
disclosure would be outlined in the original written request. 


Note: A written request must be made to the originating agency for each step in the investigative 
process, Requests must contain the specific details outlined in paragraph 8(2)(e) of the Privacy Act. 
Broadly worded requests with multiple uses are not permitted. 
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1. An Inland Enforcement Officer queries HS to support an inadmissibility investigation of a foreign 
national or permanent resident of Canada for serious and/or organized crime concerns which are 
related to a border offence. 


2. |f the HS search results in a negative match, no further queries made in the system for this 
investigation. 


If an HS search results is a positive match for the person queried, the inland Enforcement Officer = 
does not use the data in any capacity. The officer collects the contributing police agency's 
contact details for the purposes of making a formal request to use the information in support of 
the CBSA investigation of a border crime. 


3. Awritten request is submitted by the CBSA under section 8(2)(e) or (f) of the Privacy Act to the police 
agency. The request will detail the purpose for which the CBSA will use the information, authority to 
request and use the information; legislation{s) that will be enforced; and notify the contributing 
police agency that the information may be shared with the immigration and Refugee Board of 
Canada. 


a. if the contributing police agency denies the CBSA request for information, CBSA continues 
with the investigation. 

b. tf the contributing police agency approves the CBSA request for use of the information, a 
wtitten response is provided which may include additional caveats for the purpose and 
scope for which the information can be used. 


4. The Inland Enforcement Officer receives the information requested in an electronic or paper format, 
which is entered into the NCMS system. Caveats are also detailed advising that the information is 
"Third Party information" and cannot be used for any other purpose other than the original intent for 
which it was disclosed to the CBSA. 


5. The inland Enforcement Officer writes a report for inadmissibility purposes and processes the 
information provided by the contributing police agency supporting the CBSA investigation. 
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a. The inland Enforcement Officer may make a subsequent request to the contributing police 
agency seeking additional details which may not have been provided in the original 
disclosure; or, request permission to use the information for secondary purposes in support 
of the administration and enforcement of a border related crime. 


6. information is disclosed to the immigration and Refugee Board of Canada in support of inadmissibility 
determination for removal purposes. 


Note: A written request must be made to the originating agency for each step in the investigative 
process. Requests must contain the specific details outlined in paragraph 8(2)(e) of the Privacy Act. 
Broadly worded requests with multiple uses are not permitted. 
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1. A National Security Screening Division Officer queries IIS to obtain supporting information for an 
inadmissibility determination of a refugee claimant, who is physically located in Canada, for serious 
and/or organized crime concerns. 


2. Ifthe HS search results in a negative match, no further queries are made in the system for this 
investigation. 


If the HS search results is a positive match for person queried, the National Security Screening 

Division Officer does not use the data in any capacity. The officer collects the contributing police 

agency's contact details from the system for the purposes of making a formal request to use the 

information in support of the CBSA investigation of a border crime. 

3. Awritten request is submitted by the CBSA under section 8(2)(e) or (f) of the Privacy Act to the police 
agency. The request wili detail the purpose for which the CBSA will use the information; authority to 
request and use the information; legislation(s) that will be enforced; and notify the contributing 
police agency that the information may be shared internally within the CBSA, and with the 
Immigration and Refugee Board of Canada. 

a. if the originating police agency denies the CBSA request for information, CBSA continues 
with the investigation. 

b. If the originating police agency approves the CBSA request for use of the information, a 
written response is provided which may include additional caveats for purpose and scope for 
which the information can be used. 

4. The National Security Screening Division Officer receives the information in an electronic or paper 
format which is entered into the Secure Tracking System (STS). Caveats are also detailed advising 
that the information is "Third Party Information" and cannot be used for any other purpose other 
than the original intent for which it was disclosed to the CBSA. 

5. The National Security Screening Division Officer prepares an inadmissibility recommendation, 
supported by the information disclosed by the contributing police agency. " 
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a. The National Security Screening Division may make a subsequent request to the contributing 
police agency seeking additional details which may not have been provided in the original 
disclosure; or, request permission to use the information for secondary purposes in support 
of the administration and enforcement of a border related crime. 

6. The inadmissibility recommendation is provided to the CBSA inland Enforcement Operation for 
removal purposes (please see detail in inland Enforcement Operations for detail on continued 
process). 

Note: A written request must be made to the originating agency for each step in the investigative 

process. Requests must contain the specific details outlined in paragraph 8(2)(e) of the Privacy Act. 

Broadly worded requests with multiple uses are not permitted. 
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1. An intelligence Operations and Analysis Division Officer will query IIS to develop intelligence leads to 
assist in the investigation of a border related crime linked to serious and/or organized crime through 
the production of analytical products (Annex E). 
2. |f the HS search results is a negative match, no further queries are made in the system for this 
investigation. 


3. if the HS search results in a positive match for the entity queried, the Intelligence Operations and 
Analysis Division Officer does not use the data in any capacity. The officer collects the contributing 
police agency's contact details for the purposes of making a formal request to use the information in 
support of the CBSA investigation of a border crime. 


4. A written request is submitted by the CBSA under section 8{2}{e} or (f) of the PA to the police agency; 
depending on whether the agency is a federal or provincial body. The request will detail the purpose 
for which the CBSA will use the information; authority to request and use the information; 
legislation(s) that will be enforced; and notify the contributing police agency that the information 
may be shared internally within the CBSA. 


5. if the contributing police agency denies the CBSA request for information, CBSA continues with the 
investigation. 


6. If the contributing police agency approves CBSA request for use of the information, a written 
response is provided which may include additional caveats for the purpose and scope for which the 
information can be used. 


7. intelligence Operations and Analysis Division Officer receives the information requested in an 
electronic or paper format, which is entered into the CBSA Intelligence Management System (IMS). 
Caveats are also detailed advising that the information is "Third Party Information" and cannot be 
used for any other purpose other than its original intent for which it was disclosed to the CBSA. 


eain 
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8. Intelligence Operations and Analysis Division Officer corroborates received data for links to serious 
and/or organized crime against CBSA data. 

9. Theintelligence Operations and Analysis Division may make a subsequent request to the contributing 
police agency seeking additional details which may not have been provided in the original disclosure; 
or, request permission to use the information for secondary purposes in support of the 
administration and enforcement of a border related crime. 


10. Analytical Products are disclosed internally amongst CBSA Intelligence and Enforcement Officials (e.g: 
BSOs, Targeting Officers, etc) to support enforcement efforts related to serious and organized crime. 
See Annex E for a List of Intelligence Analytical Products. 


Note: A written request must be made to the originating agency for each step in the investigative 
process. Requests must contain the specific details outlined in paragraph 8(2Me) of the Privacy Act. 
Broadly worded requests with multiple uses are not permitted. 
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4.2 Data Flow Model ~ Table 


This table summarizes the flow of data illustrated in the data flow diagram above. Es 
n rer M bikes epulo em m 
COLLECTION SOURCE 
pe. hi a inean a a aa EE aan 
| Collection from the individual ora The CBSA will collect and "T ate public court records " 
representative individuals or corporations brought to trial for customs or 
| | immigration “is with a nexus to serious and/or 
| organized crim 
Co asus from à federal gbvernrrient Under this framework CBSA investi gative bodies will collect | 
| | institution personal information from the RCMP's PIB CMP PPU 005 | 
- Operational Case Records. — — —  — — — — 
| Federal / Non federal institutions | 
| 400 federal, j provincial date law if RCMP, , Canadian Fo Forces s Military Police, p Ontario io Provincial | 
| 40 rc bureaus | Police Service, Vancouver Police Department, Service de prm 
| | de la Ville de Montréal, etc. 
| Organizati on ofa Foreign State | Category li membership may be granted to: a s foreign law 


| enforcement or intelligence agency if, as determined by the 
respective Provincial Executive Committee, it is deemed to be 
| in the best interests of the broader criminal intelligence 

| community. 


| International O Organization International agencies süch as interpol are able to contribute to 
| _ ACHS as well as conduct queries with the assistance of a 
| ! Provincial Bureau. zad 
Private Sector E 
| Located i in Canada and Canadian Owned | No: private sector organizati ons contribute data to ACIIS. 
A E — eer re ————— —  ——— —QQM[NRLARAnAA5^—— —————— —— 
, Located i in » Canada and Foreign Owned | No private. sector organizations : contribute data to ACI s. | 


| Data collected by CBSA from ACIIS wiH be dsed by: | + CBSA PPU 035 


| e Criminal Investigations Division, CBSA | + CBSA PPU 1402 | 
| e Inland Enforcement Operations Division, CBSA | e CBSA PPU 1403 | 
* National Security Screening Division, CBSA | | 
| a intelligence Operations and Analysis Division, CBSA | * À new Personal Information | 


: | Bank will be created to cover 


- the additional investigative 


| Body. This has been 
| identified as a privacy risk in 
| Section 6, below. 
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| Disclosed t to “ie individualc ora | NA 
: _Tepresentati ve | 
| Disclosed to / used by federal | CISC federal menger m feet agencies 
| government institutions (RCMP, DND Military Police, Wildlife Service of Canada, 
e CMP PPU 005 5 Operational C Case Records 
| | Non-federal institutions and private sector | 
TE 2 te en 
Disclosed to / used by provincial Provincial law eriforcement partners (Ontarie o Provincial. 
| governments | Police, Süreté du Québec) 
Disclosed to / used m hiutddpal | Murat Ha enforcement partners (VanebVer: Police 
| governments | Department, Toronto Police Services, Service de police de la 
| Ville de Montréal, Calgary Police Services, etc.) 
Disclosed to aboriginal government / | Aboriginal police services have Category 1 access to 
council information contained in the ACIIS database 
D Disclosed to organizations ofa In sccordanéé to ACIS Policy and Regulations, Category Il - 
| foreign state | Membership may be granted to a foreign law enforcement or - 
| intelligence agency if, as determined by the respective 
| Provincial Executive Committee, it is deemed to be in the 
ve best interest of the broader criminal intel ligence « communi ity. 
Disclosed to international | | ln accordance to ACIIS Policy and Regulations, Cotégory H | 
organizations | Membership may be granted to a foreign law enforcement or 
| intelligence agency if, as determined by the respective | 
Provincial Executive Committee, it is deemed to be in the 
u | best interest of the broader criminal intelli igence community. E 
| Private Sector | 
| Located | in Canada and Canadian | No personal information will be disclosed t to private: sector | 
| Owned organizations | 
Located in | Catiada and Foreign N No personal information will be disclosed to » private $ sector | 
Owned | organizations - 
Located abroad and Canadian | No personal information will be disclosed t to » privates sector 
Owned | organizations 
| Located abroad and Foreign Owned | No personal information will be disclosed to private sector 
| | organizations 


Canada Border Services Agency 


e 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information 


CBSA — CISC Information Sharing Framework PROTECTED B : PIA 


4.5 Retention / Storage 


“Information collected! " CBSA investigative bodies will be stored | in the following CBSA systems: 


e Criminal intelligence Information Management System (CHMS) 
o Criminal investigations Division 


National Case Management System (NCMS) 


o Inland Enforcement Division 
e Secure Tracking System (STS) 
o National Security Screening Division 


Intelligence Management System (IMS) 
© Intelligence Operations Division 


» poney a privacy fski that some of n furictions do not das a itertespondine/ Pi Pi B. This privacy 
z risk has been noted il in n Section 6 below. 


qnformatia ion n disclosed by CBSA investigative bodies to CISC will be stored on a secure server at csc 
| headquarters i in Ottawa and backed up on a regular basis (see CISC PIA for additional details). 


| | As per CISC policy, the CBSA is fully responsible for the accuracy and disposition of any records it | 
| uploads into the ACIIS. The CBSA will provide statistical data detailing seizures made by the Agency. TT 
When CBSA records have reached the end of their life cycle, the CBSA shall securely delete the : 
records from all repositories (including ACIIS), in accordance with the record's disposition schedule 

and the records will no longer be available to CISC policing partners. No information will be disci sed. 
| used, retained or disposed of by organizations of a foreign state or international organizations. 


| Record disposition schedules have not yet been assessed by CBSA Information Management, This 
: _ privacy risk has been noted in Section 6 below. 


| Private Sector 


Records retained / stor red by pri Wate No information disclosed by CBSA investigative Pacis 
| sector organizations located in Canada — | will be retained / stored by private sector organizations. 
| and Canadian owned? | 


p ——— —————MÓÁ— sens AAA RARES tbe PA ni SATA ————————— 


Records retai "- stores by private No information disclosed " CBSA investi igative bodies: 
sector organizations located in Canada | will be retained / stored by private sector organizations. 
and foreign owned? | 


HUI TEE Hinr rmm RR A NAP EK tti Er rer ono ooa i FR A EE E ERES RE EE ERREUR: 


Records retained / stored by private | No information disclosed by CBSA investigative bodies | 
sector organizations located abroad and | will be retained / stored by private sector organizations. 
Canadian owned? — i 


Records retained fs stored by private | No information di — by CBSA investigative bodies 
sector organizations located abroad and | will be retained / stored by private sector organizations. 
foreign owned? | 
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un 4.6 Other Considerations 


in accordance with CISC national policy, the use of information uploaded to the ACIIS database 
and accessed by member agencies is governed by strict "Third Party" rules set out in ACIIS 
policy. These rules state, for example, that other agencies must not further disclose 
information, or use information for an administrative purpose without first contacting the 
originating agency. The CBSA Third Party Rule will be added to all documents uploaded to the 
ACIIS. The Third Party statement is noted below: 


"This document is the property of the Canada Border Services Agency (CBSA) and should not be 
reclassified or disseminated without prior consent of the originator. The information must be 
stored, transmitted, and safeguarded in accordance with its classification level, as outlined in the 
Government Security Policy and the CBSA Security Policies. If access is requested under the 
Access to Information Act or the Privacy Act, no decision should be taken without prior 
consultation with the originator, as the information may be subject to exemptions. Requests for 
additional use should be forwarded to the Enforcement and intelligence Operations Directorate, 
CBSA.” 
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| SECTION 5 - PRIVACY COMPLIANCE ANALYSIS 


| 


1.1 Has a legai authority been identified for the collection of personal information for this initiative? 


- Statutory reference: Section 4 of Privacy Act (Section 4 has been interpreted to mean that a legal 
authority must be established for a collection of personal information, but section 4 does not provide 

| legal authority for such a collection). 

Policy reference: Section 6.2.6 of Directive on Privacy Practices 

| Yes, iegal authorities have been identified for the collection of personal information by the CBSA from 

| public sources and from CISC's ACIIS database. Please see Section 1 (above). 

| 12 \s the personal information collected directly related to an operating program or activity? 

| Yes. The personal information collected by the CBSA from the ACIIS system will be used by to support the 

- Criminal investigations, in inland Enforcement, and Intelligence programs. 

2.1 1s each element and sub-element of personal information collected or to be collected necessary to | 
| administer the initiative? | 
| Statutory reference: Section 4 of Privacy Act | 
| Policy reference: Sections 6.1.1, 6.1.3, 6.1.4, 6.2.7 and 6.2.8 of Directive on Privacy Practices LL. 
: Yes, each element and sub-element collected by the CBSA and uploaded to the CISC database is only 
information that is relevant to the case before the courts. Only information relevant to an ongoing 

: investigation will be identified and retrieved by the CBSA from the ACIIS database. 


| 2.2 = Ş Ensure that all personal information necessary to administer the initiative is listed in the relevant PIB. 


| 2.2 [x] implement controls and procedures to ensure the CBSA does not collect more personal ndn. 

than is necessary for the identified initiative and that a continuing need exists for that information or its 

collection. 

- 2.4 Are secondary uses contemplated for the information collected? | 

: No secondary uses are contemplated for the information collected by the CBSA from public court records or 
from the ACIS database. Information collected from ACIIS cannot be used or stored within CBSA databases | 
without prior written consent of the originator. No information may be used or disclosed for a secondary 
purpose without the consent of the originator of the information in accordance with the Third Party rule. 
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5. 3 Authority for the Collection, Use or Disclosure of the Social insurance Number 
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2 3.1 Is the collection of the Social Insurance Number (SIN) necessary to administer the initiative? 


Statutory reference: Section 4 of Privacy Act 
Policy reference: Section 6.2.13 of Policy on Privacy Protection and sections 6.1.1 and 6.2 to 6.4 of 


Directive on Social insurance Number 
Also see "Guidance for Preparing Information-Sharing agreements Involving Personal Information" and | 
"Taking Privacy into Account Before making Contracting D Decisions” 
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| 4.1 Is personal information collected directly from the individual to whom it relates? 


| 4,2 Yes, information used in judicial proceedings is collected directly from the individual. 


| 43 No, the personal information collected by CBSA investigative bodies from the ACHS database is not 


: 5.1 Is personal information collected indirectly from another source with the informed consent of the individual 
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| 82 (J Collection of the SIN must be in compliance with the Directive an Social insut rance > Number fg please | " |] 
i check all appropriate boxes below): 


| 3.3 State legal authority for collecting the SIN: | 
i 


No, the collection of the SIN is s not necessary to administer the initiative. 


Statutory reference: Sections 4 and 5 of Privacy Act 
Policy reference: Sections 6.1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and section 
6.1.2 and 6.4.1 of Directive on Social insurance Number 


CBSA Collection of Open Court Records: 


CBSA Collection of ACIIS Data: | 


collected directly from the individual. 


E 2 Indirect Collection - Consent or Authority under Sec. 10 of Privacy Regulations | 


E 


to whom it relates, or from a person authorized to act on behalf of the individual pursuant to section 10 of 
the Privacy Regulations? 


Statutory reference: Sections 4 and 5 of Privacy Act and section 10 of Privacy Regulations 
Policy reference: Sections 6.1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and sections 
6.1.2 and 6.4.1 of the Directive on Social Insurance Number 


| 5.2 Nao, the personal information collected by CBSA investigative bodies from the ACIIS database is not 
| collected directly from the individual or their authorized representative under section 10 of the Privacy 
Regulations. 


6.1 Is eee information collected from another source without notice to or consent from the individual to 
whom the information relates? 
Statutory reference: Sections 4, 5, 7 and 8 of Privacy Act and section 10 of Privacy Regulations 
Policy reference: Sections 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices, section 6.2.15 of 
the Policy on Privacy Protection and sections 6.3.2 and 6.3.3 of Directive on Privacy impact Assessment 
Yes 
Where information is collected indirectly under any of the following circumstances without notice to, or 
consent from, the individual to whom it relates, please check the applicable boxes and explain as | 
requested: : 
8(2) of the Privacy Act. State the applicable paragraphí(s j« of ene n8(2 ; ‘and previde: a brief 
explanation for each: 


pcepennannnnnnnnnnonn 
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Personal information is disclosed to the CBSA by the ACIIS contributor for the purposes of 
lawful investigations into organized crime. The RCMP considers this a consistent use (s. 8(2)(a)) ; 
listed under RCMP PPU 005 (Operational Case Records). Further information may be Le 
requested for the purpose of investigating other serious offences to be disclosed by the | 
originator under the investigative body designation provision (s. 8(2}{e) or the equivalent 
provision of the local data protection authority. in cases where there is an existing written 
agreement between the CBSA and the originating body, information will be disclosed under the 
terms of that agreement (s. 8(2Yf)). 

D) Direct notification of the individual might result in the collection of inaccurate information, or 

: might defeat the purpose or prejudice the use for which the information is collected. Briefly 

j explain why notice is not provided: 

Details: Notice that personal information may be collected indirectly from other sources is not rovided 
| to the subjects of CBSA investigations. A lawful investigation may be jeopardized if the 
investigators were required to notify subjects because they would take further steps to obscure 

| their activities or cease their activities altogether. 

6.2 


if any of the circumstances in a) b) or c) is applicable, ensure that it is reflected in the relevant PIB. 
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5.7 . Retention and Disposal of Personal Information 


7.1 Has Library and Archives Canada approved a records retention and disposal schedule that applies to the 
personal information? 


Statutory reference: Section 12 of Library and Archives Canada Act, sections 6, 10 and 11 of Privacy Act 
and section 4 of Privacy Regulations 

Policy reference: Sections 6.1.3, 6.2.11 to 6.2.13 and 6.2.23 of Directive on Privacy Practices 

Yes | Pe 
identify the Record Disposition Authority (RDA) and describe the retention and disposal schedule: | 
Details: The RDA number is 2015/008. According to the Subject File Classification System for Criminal 
investigations, most CIIMS records are retained for 7 years, and then deleted or transferred to 
Library and Archives Canada if they have enduring archival value. However, leads and referrals 
within CUMS are retained for 10 years. 


7.2 DS implement controls and procedures to ensure that personal information used to make a decision that 
directly affects an individual will be retained for a minimum of two years after the last administrative 
action or, where a request for access to the information has been received, until such time as the 
individual has had the opportunity to exercise all his/her rights under the Act. 


If the CBSA intends to dispose of personal information that has been used for an administrative purpose 
prior to the expiration of the two-year minimum retention standard established by the Privacy | 
Regulations, it will obtain in writing the consent of the individual to whom the information relates 
before doing so. 


7.4 DÀ The CBSA will cite the RDA number, the retention period and the disposition standards for the personal 


: 8.1 Will measures be adopted to ensure that personal information used by the CBSA for an administrative 
| purpose is as accurate, up-to-date and complete as possible? 
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m. | Statutory reference: Sections 6, 10 and 11 of Privacy Act and sections 10 and 11 of Privacy Regulations — 


Policy reference: Sections 6.1.1 and 6.2.9 to 6.2.16 of Directive on Privacy Practices 
| Yes : 
| 8.2 Please check any of the following measures that will be adopted to ensure accuracy of the personal | 
| information and provide details as requested: 

8 2.4 D Adata-matchi ing process will be used to verify the accuracy of personal information against a 


"reliable source" (within or outside the CBSA) where this is authorized, or where consent was | 
obtained. | 


Details: The defendant's name, addresses and other identifying information contained in the public 
court record are carefully compared with identifiers in the CBSA investigation file prior to 
upload into ACIIS. 


in cases where direct collection or consent is not feasible, the CBSA will obtain information from 

trusted sources (public or private) and verify accuracy against existing personal information before 

use. 

Details: ACIIS has well-established standards and practices to ensure the accuracy, validity and 
relevance of data uploaded by contributing agencies. Each contributing agency is | 
responsible for the data that they input. Reports are provided to ensure that records are 
validated at periodic intervals. Each agency is subject to an independent audit by ACIS 
auditors. 


n 23 [] Technological methods will be used to identify errors and discrepancies. 


8.3 [X] AND, if measures are adopted other than "direct collection or validation with the individual or with a 
person authorized to act on behalf of the individual", the CBSA must implement appropriate controls and 


procedures to ensure that: 
a) the technique(s) and the specific source(s) used to validate or update the personal information are 
| documented; 
| b) individuals are given the opportunity, whenever possible, to request correction of any inaccurate 
personal information before the information is used in a decision-making process that affects them; 


E las es'ee'ea's Canna aes ea anaas ana nn 


C) personal information can only be modified or corrected by those within the CBSA who have the | 
authority to do so; 

d) when personal information is corrected or annotated, the record of personal information indicates 
the date of the last correction or annotation and the source of the information used to make the 
correction or annotation; and 
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d) when personal information is corrected or annotated, other authorized holders of the information 
are notified about the correction or annotation and that all copies of the information in the 
possession of the CBSA are corrected / annotated. 


8 4 C] AND, if appropriate, ensure that the “Privacy Notice” or “Consent Statement” and the relevant PIB are 
amended to identify the data-matching activity including the sources k 
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5s 9 Use of Personal Information 


| 2.1 Will the personal information collected for the initiative be used solely for the original purpose for which 


it was obtained or compiled, a use consistent with that purpose, or a purpose for which the information 
was disclosed to the institution pursuant to subsection 8(2) of the Privacy Act? 
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Statutory reference: Sections 5 and 7 to 11 of Privacy Act 
aie reference: Sections 6. 1. 1; 6. i. 3, 6. 2. 9 to 6:2. 13 iis 6. 2: 17 of Directive on n Privacy Practices, 


Assessment 
Yes 
9.2 Implement controls and procedures to ensure that access to the personal information for such 
purposes will be limited to authorized individuals who need to know the information to perform their 
official duties. 


Details: Use of information collected from the ACIIS is limited to the purpose for which it was disclosed, 
in accordance with s. 7(b) of the Privacy Act. Access to publically available court records 
uploaded to the ACIIS database will be limited to individuals in Category 1, 2, and 2.a police 
agencies undertaking lawful investigations, as per CISC policy. However, publically available 
court records are excluded from the use (s.7) and disclosure (s.8) sections of the Privacy Act 
under s. 69(2). Access to ACHS data will be limited to investigators within the CBSA's four 

i designated investigative bodies who have a "need to know" to further a lawful investigation. 


A "Data Flow Diagram" and "Data Flow Table" are included (see "Section 4 — Flow of Personal 
information") identifying the areas, groups and individuals (e.g., the positions) within the CBSA who 
have a need-to-know to access to or handle the personal information, including their geographical 
location and where the personal information will be stored or retained. 


Information may be used for a non-administrative purpose, such as research, statistical, audit and 
evaluation purposes. This has been reflected in the associated PIBs, and the CBSA will adhere to the 
requirements and principles in the CBSA Privacy Protocol For Non-Administrative Purposes (2012), in 
accordance with section 6.2.15 of the Policy on Privacy Protection to address any impact that such non- 
admini strative uses may have on privacy. 
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E 10. | Disclosures Directly Related to the Adi linistration of the Initiative 
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10.1 Will personal information be disclosed for purposes directly related to the administration of the 
: initiative? (This includes, for example, disclosures to other programs within the CBSA, other federal 
institutions, other governments, international organizations, private sector organizations or individuals.) 


Statutory reference: Sections 5 and 8 to 11 of Privacy Act. | 


6.2.3 of Directive on Social Insurance Number, sections 6.1.9, 6.29 to 6. 2.13 and 6.2.15 to 6.2.20 of 
Directive on Privacy Practices and section IV of Appendix "C" of Di dmt 


Also see "Guidance for Preparing Information-Sharing agreements iyolving Beer ai Information! and 
"Taking Privacy into Account Before making Contracting Decisions 
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Yes 
10.2 Please check all applicable boxes below and, for each disclosure, identify the name of the organization 
identify the branch and the initiative, 
10.1.1 XX iid the CBSA for another program or activity 


| Details: Four investigative bodies. related toa lawful investigations related to serious anc orga 
crime. | 
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10.1.2 [X] Other federal government institutions 
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or third party to which personal information will be disclosed. If it is disclosed within the CBSA, please | 
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10.1.3 [X | Provincial, territorial o or r municipal g governments insti itutions - | 


p 7 
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: | Details: No information will be disc losed to foreign governments or entities as part of the 
2 administration of this program. 
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| 10.2 X AND, ensure that: 

| a) anysuch disclosure is made in compliance with section 8 of the Privacy Act, which allows | 
| disclosures of personal information with consent of the individual to whom the information relates | 
(subsection 8(1)) or without consent in certain and limited circumstances pursuant to subsection 


8(2) of the Act; 
b) only personal information elements that are necessary for the intended purpose are disclosed; 
c) theorganization or third party receiving the personal information is authorized to do so; 


| d) administrative, physical and technical safeguards appropriate to the sensitivity of the information 
| will be applied to protect the information during and after its transmission (see Question 15); 
gems | e) the organization or third party to which the personal information will be disclosed for the | 
! administration of the initiative are identified in the "Consistent Use" section in the relevant PIBin — 
CBSA Info Source, including the specific purpose of the disclosure; 
f) the "Privacy Notice" or "Consent Statement" describes any disclosures of information and, 
g} the “Data Flow Diagram" or "Data Flow Tables" completed in "Section 4 — Flow of Personal 
information" of the CBSA PIA include details on the disclosed personal information. 


| 10.3 [.] AND, any disclosure of personal information to another federal institution or outside the Government of 
| Canada is governed by a formal agreement or arrangement (e.g., a Memorandum of Understanding, an 
accord, a contractual arrangement, etc.) to ensure that appropriate privacy protection clauses are 
included, and, where applicable, include provisions for inter-jurisdictional or trans-border flows of 
personal information. Such clauses must cover the following topics: 


a) Control over personal information, where appropriate. 
b) Limitations on the collection, retention, use and disclosure of personal information. 


| c) Measures (administrative, technical and physical) to protect the integrity and confidentiality of | 
| personal information. 


Measures governing the disposition of the personal information, where relevant 
ej Measures to ensure or verify that the personal information is only used for the purposes related to 
the agreement, arrangement or contract. 
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f) Obligations are to be extended to other parties such as subcontractors. 


| Details: CBSA-CISC Memorandum of Understanding only governs. the relationship between the two 
| agencies and does not govern the sharing of information between partner agencies. Instead, a 
| combination of consistent use (8(2)(a) of the Privacy Act), law enforcement assistance (8(2 te) ofthe 


Privacy Act), and MOUs with each province (8)(2)(f)) of the Privacy Act)wili be used. 
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Will controls and procedures be implemented to account for any new use or disclosure of the personal 
information that is not included in the relevant PIB published in CBSA Info Source? 


Statutory reference: Sections 7 to 11 of Privacy Act and section 4 of Privacy Regulations 


Yes 


d) 


ej 


Appropriate controls and procedures have been or will be implemented to ensure that: 

the ATI and Privacy Director or the appropriate delegate is notified about any new use or 
disclosure of personal information that is not reflected in the PIB description published in CBSA 
info Source; 


the consent of the individual to whom the information relates is obtained in writing, as 
appropriate, prior to any new use of the information for an administrative purpose that is not 
reflected in the relevant PIB published in CBSA info Source, unless the new use is considered to be 
consistent with the purpose for which the personal information was obtained or compiled and the 
Privacy Commissioner is notified, by the CBSA ATI and Privacy Director, forthwith regarding the 
new consistent use; 


except as permitted under subsection 8(2) of the Privacy Act, any disclosure of personal 
information for a purpose that is not reflected in the relevant PIB published in CBSA Info Source 
will only be made with the consent of the individual to whom the information relates; 


a record is kept for any new use or disclosure of personal information not described in the relevant - 
PIB published in CBSA Info Source, and that this record is stored with the personal information to __ 
which it relates and retained for a minimum period of two years following such a use or disclosure. 
The record of use or disclosure wiil include the name and title of the person authorizing the use or 
disclosure; the name of the institution, person, organization or body receiving the information; a 
description of the use or purpose of disclosure; a copy of the information disclosed, or a 

description in sufficient detail to allow a determination of exactly what information was used or 
disclosed; 


if the information is disclosed to a federal investigative body under paragraph 8(2)(e) of the Privacy 
Act, the record of disclosure will be kept in a separate PIB for a period of two years where it will be | 
available to the Privacy Commissioner for review upon request; {e.g Standard PIB "Disclosure to 
investigative Bodies" PSE 913] 


the Privacy Commissioner is notified, by the CBSA ATI and Privacy Director, forthwith, as required 
under subsection 9(4) of the Act, of any new use or disclosure that is consistent with the purpose 
for which the information was obtained or complied, but which is not reflected in the relevant PIB 
published in CBSA Info Source; | 


the relevant PIB is amended in time for the next edition of CBSA info Source to include any new | 
use(s) or disclosure(s) that are consistent with the purpose for which the information was obtained | 
or compiled, as well as any routine use(s) or disclosure(s) that do not fall within the categories of — | 
purpose of collection or consistent use; and 

the Privacy Commissioner is notified, by the ATI and Privacy Director, prior to or forthwith, as 
required under subsection 8(5) of the Act, about any disclosures made or to be made in the public 
interest or in the interest of the individual to whom the information relates. 
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- 12.1 The information contained in the SoS or similar analysis has been taken into account when assessing the 


[518 


vraies 


Yes 


434 Has a Threat and Risk Assessment (TRA) or a similar security assessment been completed for the initiative? 
(Input to this section must be coordinated with and reviewed by CBSA —IT - Security Directorate) 


13.2 [ | AND, obtain assurances from the officials responsible for the initiative that the measures recommended 


Has a Statement of Sensitivity (SoS) or similar analysis been completed to assess the degree of sensitivity 
of the personal information to be collected and retained for the initiative? (Input to this section should 
be coordinated with and reviewed by the CBSA —IT - Security Directorate} 


Polic | ae m E ix C of Directive on Privacy TA act Assessment and sections 6.2.17 to 6.2.21 of. 
Directive on Privacy Practices, Policy on Government Securit Operational Security Standard: 


level of risks to pri vacy in "Section 2 - Risk Area Identification and Categorization" of the CBSA PIA. 
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Miu p wd ns 7 f and d of eie Act. 
Directive on Macy Practices, MM on Co Huit Security, Onénitional Security Si 5 tendant: 
Management of Information Technology Security (MITS) 


No | 
13.1 [x] Reference the title of the TRA or other security assessment in “Section 6 — Supplementary Documents 


List" and provide a brief synopsis of the assessment in the space below: 


Details: TRAs for source systems have not been completed. This risk has been identified in Section 6, 
below. 


in the assessment have been implemented to ensure the confidentiality, availability and integrity of the 
personal information. 


| 13,3 [_] AND, ensure that any residual risks to personal information are known and accepted by the executive or 


|5 14 Safeguards - Administrative, Physical and Techni cal 


444 Please identify below any administrative, physical and technica! safeguards in place, or to be implemented, 
for this initiative to ensure the confidentiality, availability and integrity of the personal information. 


senior official responsible for the initiative and the Head or delegated authority for the Privacy Act. (ATI | 
and Privacy Director) - 
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Statutory reference: Sections 7 and 8 of Privacy Act 


Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 of 
Directive on VUE) | Practices | Policy on Government Security Operational Security Standard: 


14 2 Administrative safeguards 


E Internal security and privacy p policies and procedures 
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staff tra ining on privacy and the protection of personal information 


x 


<] Appropriate security levels for employees who will have access to personal information 


Contingency plans and documented procedures in place to identify and respond to security and 
| privacy breaches, and to communicate security violations to the data subject, law enforcement | 
| authorities and relevant program managers 
DX] Regular monitoring of users’ security practices | 
[X] Methods to ensure that only authorized personnel who need to know have access to personal | 

information ; 


| 14.2 Physical safeguards 

| Restricted access areas 

: [X] Security guards 

Identification badges are worn by staff at all times 


After hours alarms and monitoring systems 


D 


j Locked filing cabinets | 
[| Combination locks | 
[ | Safes 
E 


} Cipher locks (opened by programmable keypad) | 


K | Key cards 


Video surveillance (closed-circuit television) 


X] Backups secured off-site + 
C] other |o 
14.3 Technical safeguards 


Xj Role-based user authorization and authentication 

| Biometrics 

| Passwords (minimum of 6 characters long, include alpha and numeric characters) 

| Passwords are changed by users every 90 days and recently used passwords cannot be re-used) 
j Password protected screensavers 


<] Session-time out security (automatically locks an account after a session has been idle for a 
specified amount of time) | 

DX. Firewalls 

D Intrusion Detection System (IDS) 

[x] Virtual Private Network (VPN) | 

K Encryption of sensitive information | 

Government of Canada Public Key Infrastructure Certificates (PKI) | 

External Certificate Authority (CA) | 

Audit trails 

|] Other 
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Details: TRAs have not been completed for associated CBSA systems. This has been identified as a | 
privacy risk in section 6, below. | 


Iti 
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p 15.1 Will the information system(s) used to deliver the initiative employ cookies or other tracking technologies 
| to collect personal information about users and their transactions | 


Statutory FH reference: Sections 4 to 10 of the Privacy Act and SECHUR 4 a Privac Re ulations 
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| 16.1 Will the new or modified initiative result in new or increased surveillance or monitoring of a targeted 
population? 


Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of 
the Charter of Rights and Freedoms 
Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices 
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Ix] Yes, the new or modified initiative will result in new or increased surveillance or monitoring of a 
targeted populati on. 


"" 5 i7 Considerations Related t to o Compliance, Regulatory Investigation, Enforcement | 
17.1 Does the initiative involve compliance/regulatory investigation or law enforcement, surveillance or | 
intelligence gathering that aos specific individuals against whom penalties, criminal charges or : 
sanctions may be applicable? | 
Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of 
the Charter of Rights and Freedoms 
Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices | 
Yes | 
17. 2 Dd Consuit with your legal advisors to determine whether or not the compliance/regulatory investigation : 
or law enforcement activities raise any issues relating to the Charter of Rights and Freedoms, the | 
: Privacy Act or other applicable acts. | 
| 17.3 AND, identify the legislative authority and the specific regulatory or law enforcement purpose involved: | 
- Details; Purpose of collection is to support lawful investigation into serious and organized crim | 
| 17. 4| ] AND, if the legislative authority differs from the legal authority for the initiative, ensure it is sriequaisty - 
| reflected in the response to Question 1 of “Section 5 — Privacy Compliance Analysis" and in "Section 1— : 
| Overview and PIA Initiation” of the CBSA PIA. 
17.5 LY AND, any personal information collected or created as a result of such regulatory or criminal | 
enforcement, surveillance or intelligence gathering initiative is described in the relevant PIB and in 
"Section 3 — Analysis of Personal Information Elements" of the CBSA PIA. 
| 17.6 |_| AND, the collection or use of personal information through these compliance / regulatory investigation 
"m | or enforcement activities is adequately reflected in the "Privacy Notice", unless such notification might 


| result in the collection of inaccurate information or defeat the purpose, or prejudice the use, for which 
| the Prg information is collected. 
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| [X] If notice about the compliance/regulatory investigation or law enforcement activities will not be 
| provided. 


| Details: The CBSA does not seek consent for the collection and use of this information since this would | | 


defeat the purpose for the collection and compromise the investigation. 
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6 — SUMMARY OF ANALYSIS AND RECOMMENDATIONS 


The CISC-CBSA Information Sharing Framework PIA has identified a number of potential privacy 
risks above. The following section summarizes these privacy risks and provides 
recommendations for mitigation strategies for review by Program Areas, Senior Management, 
and the Chief Privacy Officer (CPO). The risks and recommendations will be incorporated into 
the CISC-CBSA Information Sharing Framework PIA Action Plan, found in Annex C. 


1. National Security Screening Division is not reflected in infoSource. 


The National Security Screening Division (NSSD) is not currently covered by an existing 
Personal Information Bank (PIB). The CBSA is out of compliance with s. 10(1) of the 
Access to information Act and this presents a privacy risk that individuals may not have 
the ability to access their personal information under the control of the CBSA. 


2. Existing PIBs require updates to reflect the CBSA-CISC Information Sharing Framework. 


The CBSA's Info Source contains a number of inaccurate or outdated references and 
must be updated to reflect the reality of each program or activity. The CBSA is out of 
compliance with s. 10(1) of the Access to Information Act and this presents a privacy risk 
that individuals may not have the ability to access their personal information under the 
control of the CBSA. 


3. Threat Risk Assessments (TRA) have not yet been undertaken for all CBSA databases housing 
personal information collected from partner agencies. 


The CBSA will store records received from ACIIS contributors in the Criminal Intelligence 
Information System (CIIMS), Intelligence Management System (IMS), Secure Tracking 
System (STS), and National Case Management System (NCMS). The CBSA inherited each 
of these legacy systems upon its creation and has not yet fully assessed the security 
safeguards of these systems through the Threat and Risk Assessment (TRA) 
methodology. However, the CBSA has assessed portions of these systems during the 
regular maintenance cycle and has endeavoured to ensure that all relevant safeguards 
have been put into place. The CBSA is out of compliance with the Management of 
Information Technology Standard (MITS) and this creates a privacy risk that personal 
information may not be fully safeguarded. 


4. Record retention schedules for the CBSA databases housing personal information collected 
from partner agencies have not yet been applied. 


The CBSA is currently reviewing its information management practices to ensure that 
information that is no longer necessary is destroyed. The first step of this process was 
obtaining a new Records Disposition Authority (RDA 2015-008) from Library and 
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Archives Canada. However, the retention schedule has not yet been fully 
operationalized within each of the CBSA databases described above. The CBSA is . 
potentially out of compliance with its retention schedules which may create a risk that eiie 
personal information may be retained longer than necessary thereby increasing the 

likelihood and/or severity of a privacy breach. 
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| The following signature represents a 

| commitment to comply with sections 4 to 

| 8 of the Privacy Act and the related privacy 
| policy requirements outlined in the CBSA 

| PIA as they relate to the administration of 


The following signature represents a commitment 
by the Head of the institution or his/her | 
delegate(s) who is responsible for establishing 
personal information banks in accordance with 
section 10 of the Privacy Act. 


i 
i 
; 
1 
1 
1 
i 
1 
| 
i 
i 
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| the identified initiative/ 


FI 
? 


a — 


d 


: r BSA Vice President lead for Signa 
| program or activity 


ture of CBSA ATI and Privacy Director 


MAR 23 2017 


Date | Date | 
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| Note: Responsibility for sections 4 to 8 of the 
Privacy Act rests with all employees of 
government institutions that handle personal 
information. Officials who manage such 

| programs and activities are responsible for 
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Note: Under the Privacy Act, the Head or his/her 


delegates) is responsible for complying with legal and 


relevant privacy policy requirements related to the 
approval and registration of personal information 
banks 


| ensuring that such requirements are 
| implemented as part of the administration of 
| the program or activity. 
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à Annex A: Privacy Complia nce Checklist and Other Considerations 


Note: The table below must be used to keep an account of actions completed and to track outstanding actions required to 
achieve privacy compliance: 


Privacy | Action required to support legal and policy compliance 
Compliance 
Analysis 
question # 


(cross reference to relevant question of Section 5 — Privacy 
Compliance Analysis) 


1 | Legal authority for the initiative has been established and is 
_ reflected in the relevant PIB. 


2 _ a) The categories and elements of personal information to be 
collected for the new initiative have been carefully assessed 
based, for example, on the CBSA's experience gained with 
the administration of a similar initiative. The personal data 
collected will be limited to only that which is required. 


. b) Categories and elements of personal information have been = y 
described in the relevant PIB for the initiative. = 


| c) Controls and procedures will be implemented to ensure the 
CBSA does not collect more personal information than 
Qr M . necessary for the initiative and that a continuing need exists 


4 and 5 _a) All of the requisite "Privacy Notices" and "Consent 
Statements" that meet the requirements of sections 6.2.9 to 
6.2.12 of the Directive on Privacy Practices have been 
drafted. (Texts of the notices and consent statements must 
be included as an annex.) 


| b) Controls and procedures have been implemented to keep 
|. records of individual consents, and to ensure that persons 
acting on behalf of individuals who do not have the capacity 
to provide consent have the authority to do so under section 
10 of the Privacy Regulations. 


7 a) ARecords Disposal Authority (RDA) has been approved by 
: Library and Archives Canada to authorize the disposal of the - 
records containing personal information forthe program. — : | 
. b) Controls and procedures have been implemented within [1] | EAE E 

the initiative and the CBSA ATI and Privacy Division to | 
ensure that information that has been used for an : 
administrative purpose will be kept for the minimum | E 
retention period established by the Privacy Regulations. 


: C) Reference to the RDA, the retention period and the 
disposition standards for the program have been cited in 
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Privacy Action nrequirad: to support legal and policy compliance h 
Compliance ^ ^ (cross reference to relevant question of Section 5 — Privacy 5 | BOB ee 


Analysis - Compliance Analysis) 
question # | 


8 | Controis and procedures are in the process of being | 
implemented to ensure that the personal information | | B 


associated with the program is as accurate, complete and up- 
to-date as necessary. 


Other Privacy Considerations related to specific principles that are not explored 
in the previous 17 sections: 
(these considerations should be explored in the Executive Summary) 


Openness Describe how the results of any privacy impact assessmentor — [] - ^ Lj 
audit will be made available to the public. The Executive : 
Summary will be published on the external CBSA ATI and 
: Privacy Division website at http://www.cbsa-asfc.gc.ca/agency- - 
: agence/reports- rapports/pia-efvp/atip- aiprp/pias- -sefp-eng. html 


| Are policies and practices relating to the proposal's CF UU RK 
management and handling of personal information available to | | 
| the publi c? 


Is there a communications plan to -— to the public how : Li | Il : x 
| personal i ! information will be managed and protected? 


Is there a clearly defined and easy process for individuals to 
access such information and/or communicate with appropriate 
individuals with respect to policies and practices relating to 

| management and protection of personal information? 


Where appropriate, will public consultation take place on the 
| Privacy i im nplications of the proposal? 


individual's Access Is the system designed to ensure that an individual can have 
To : access to his/her personal information, including all other AM _ : 
: programs or applications that have received copies of the - E | E 


Personal + | 
information? s. 12(1) 


information 


_ Are there documented procedures developed or anad on | - : | 
howto make privacy requests or requests for the correction of PI | [] | a 
| personal information? s. 12 (2) - - - 


_ Are individuals provided with access to their personal 
- information in the official language of their choice? S. 17(2) 


: If appropriate, are e individuals provided with access is their 
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Privacy 
Compliance 
Analysis 
question & 


Action required t to support legal and policy: com pliance - 


(cross reference to relevant question of Section 5 — Privacy 
Compliance Analysis) 


Challenging 
_ Compliance 


| Are the complaint — for the "n program or 
| service consistent with legis! lated requirements? s. 29- 35 


. To improve information management practices and statidards 


_ has a procedure been established to log and periodically review | 


: the nature, frequency and resolution of complaints? 


: Are there oversight and review mechanisms emeret or 
| availabl e to ensure accountability? 


| Have oversight agencies, including the Office of the Privacy 
. Commissioner, issued reports or opinions on issues that would 


be relevant to the proposal? 
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issioner Expectations 


in their March 2011 document, Expectations: A Guide for Submitting Privacy Impact 
Assessments to the Office of the Privacy Commissioner of Canada, the Office of the Privacy 
Commissioner (OPC) has expressed the importance of analysing the risks of the project, program 
or initiative against the ten universal privacy and fair information practice principles of the 
Canadian Standards Association Model Code for the Protection of Personal Information. 


The most relevant demonstration of the privacy risk and compliance analysis is the action plan. 
The OPC has said the following in their Expectations guide with respect to the action plan: 


Once privacy risks and their proposed mitigating measures have been identified, we expect to 
see an Action Plan drawn up by the institution, indicating a specific time frame for remedying or 
mitigating the risks that have been identified, and if possible, naming a specific person or staff 
position accountable for taking action. 


The action plan must list all privacy risks and compliance issues identified in the PIA and 
supplementary documentation. All risks and issues must be organized by the 10 universal 
privacy principles. 


All recommendations and proposed mitigation strategies must also be described in the action 
plan. identify the responsible program area and the timeline for completion or implementation 
of the strategy. The ATI and Privacy Division will provide programs with an action plan template 
to be addressed near the end of the PIA process. 


The expectations of the OPC for each privacy principles are included below for your reference. 


Accountability 
Under this principle the OPC would expect to see documentation of an administrative structure 
for privacy, including input from legal services, access to information and privacy and 
information technology branches within an institution, with defined processes for determining 
when new projects require PIAs, for carrying them out, implementing mitigating measures and 
auditing for assurance of compliance. We expect PIA reports to be signed off at the appropriate 
level, and that training in privacy issues and procedures has been documented and is refreshed 
with employees regularly; and that privacy protective language is included in all contracts with 
third parties handling personal information in accordance with TBS guidance documents and 
internationally accepted best practices; and that regularly scheduled privacy compliance audits 
will be undertaken and the findings acted upon. 


Identifying Purposes 

The Privacy Act restricts federal government institutions to the collection of personal 
information that relates directly to an operating initiative of the institution, so we would expect 
to see a clear description of the program and why each piece of information is needed; a 
description of the legislative authority for the collection; a clear listing of all the data elements 
collected; copies of any relevant documents such as application forms identifying the purpose 
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PT for the collection or on-line notices of use; a copy of an up to date Personal Information Bank 
(PIB) description; a statement of any proposed new consistent use of information previously 
collected and a clear rationale as to how the use is reasonable and directly connected to the 
original collection -- this may include an analysis of how an individual to whom it relates would 
reasonably expect it to be used for that purpose; a statement outlining any intended secondary 
uses of the information; whether the information is collected directly from the individual and if 
not, why; and a description of how personal information used for planning, forecasting or 
statistical purposes would be anonymized or de-linked from individual identifying information. 


Consent 

This is closely tied to the Identifying Purpose principle. Under this principle, OPC would expect 
to see a copy of notification language on forms or websites; a clear description of the purpose 
for collection; a rationale for not seeking consent, as is provided for in the Privacy Act; for web 
sites, a copy of the Privacy Notice Statement under which personal information is submitted to 
the institution. 


Limiting Collection 

Under this principle, OPC would expect to see a clear justification of the need for each data 
element collected, in keeping with the requirement of the Privacy Act that no personal 
information is to be collected by a government institution unless it relates directly to an 
operating initiative of the institution; an indication that a data minimization exercise has been 
undertaken to ensure that each data element is necessary and that this exercise will be 
refreshed regularly; and that information collected from another department for a secondary 
use will be purged of all but the essential data elements before use. 


Limiting Use, Disclosure and Retention | 

Under this principle, OPC would expect to see a description of the specific uses and proposed 
disclosures of the information; a clear statement limiting the use of the information to the 
purposes identified; a clear retention policy and disposition schedule that is also noted in the 
PIB; a process for destruction of the information that is in keeping with the Privacy Act and 
Regulations; copies of MOUs or agreements with third parties to whom information is disclosed 
governing its use, retention and disclosure, and clauses with contractors or sub-processors of 
information indicating the originating institution has the right to audit for compliance with 
privacy provisions. 


Accuracy 

Under this principle, OPC would expect to see a description of the process used by entities to 
ensure accuracy, particularly when administrative decisions are made; a description of how 
changes to records are logged and monitored; a statement of whether automated decision- 
making based on risk profiles is being undertaken and how automated decisions are vetted for 
accuracy; an explanation of the processes open to individuals seeking to correct information; a 
description of the process by which second or third parties to whom information has been 
disclosed will be notified of changes and corrections to the record; and a description of how 
audit trails of records transactions are monitored and evaluated. 
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Safeguards 

OPC would expect to see under this principle a description of the physical and electronic 
safeguards that are in place to protect information; a Threat & Risk Assessment (TRA) with bos 
emphasis on privacy risks and concerns and a discussion of how these concerns have been 
remedied or addressed; a notation that encryption is used for personal information both in 

transit and at rest; a description of how system logs of information transactions are monitored 

for inappropriate use, including viewing of the information; strong electronic access control, 
including controls on remote access, and the use of mobile devices; policies for the use of 
portable storage devices such as flash drives; a description of role-based access controls; and a 
description of the steps taken to ensure complete destruction of the information at the end of 

its life cycle. 


Openness 

Under this principle, OPC would expect to see a summary of the PIA written in plain, 
understandable language, posted on the institutional website in a manner accessible to the 
general public and containing a link to the relevant PIB description in CBSA Info Source; for 
particularly sensitive or privacy invasive programs we would expect to see the public 
communications plan described in the PIA, including a variety of methods such as posters, 
brochures and media announcements as well as detailed discussion of the PIA in the institution's 
Annual Report under the Privacy Act; a description of consultations with key stakeholders and 
the privacy risks or concerns raised should be readily available on the website; the name and 
contact information of an individual accountable for the handling of personal information 
should be easily obtained through the website or by calling the institution's main public number. 


Individual Access — 
Under this principle, OPC would expect the PIA to include a description of any informal process 

the CBSA may have in place for access to and correction of personal information; an up to date 

and comprehensive description of information contained in the PIB corresponding to the 

initiative; a description of the process by which information in the hands of third parties is 

corrected following requests; a description of how the general public is made aware of these 

processes, for example, by a link and/or a toll-free number shown on the home page of the 

institutional website. 


Challenging Compliance 

OPC would expect to see the PÍA address this principle by indicating clearly who is responsible 
for receiving and resolving privacy complaints; describing complaints that may have been 
received in any similar activity or pilot project and how they were handled; including privacy 
issues in project evaluations or feasibility reports; describing how and when compliance audits 
for privacy will be undertaken; including information on how to file a complaint with OPC under 
the Privacy Act; and reporting in some detail on specific and/or systemic privacy issues in its 
Annual Reports. 


CBSA — CISC Information is Framework PROTECTED | PIA 


| ‘Ann nex C: : PIA Action Plan 


Screening Division is not | een with ATI Pi in nie to ensure aie the 
| reflected in InfoSource. | program area continues to comply with privacy 
| | regulations, | NN 
| 2 | Existing PIBs require | Proposed changes to the relevant PIBs have June, 2017 ATIP / | 
| updates to reflect the | been noted in Section 1 of this PIA. The CBSA | Program Areas ' 
CBSA-CISC Information — | has committed with Treasury Board to a | | 
Sharing Framework. | preliminary round of updates to infoSource to 
be completed by June 2017. These updates 
include a reorganization to reflect the new 
| Program Alignment Architecture of the Agency 
| as well as updating references to both internal 
| and external Divisions and departments. 


| Phase 2 of the updates will address the gaps in 
| the Agency's current PIA inventory and begin | 
| work on assessing legacy programs. There is no | 
| anticipated completion date for this Phase as it 
|! will be a continual process with the 

| development of new programs. 


i 
E 
ttt e lC E Sn 
ttt Pe ISERNIA Ae iir s t t 


| This PIA reflects the current Program Alignment 
; | E Architecture. 

: 3 | Threat and Risk An ongoing plan to identify and update 
| Assessments have not yet | requirements for TRA's on all legacy data 

| been undertaken forall repositories that do not have a defined 

| | CBSA databases housing | decommissioning date has been undertaken by 
personal information | the CBSA. : 


| On-going | 


| Program Area 


| collected from partner | 
| agencies. | The Agency is currently in the process of | 
| approving Statements of Sensitivity for | 
Intelligence Management System (IMS) and 
| Criminal Intelligence Information Management 
| System (CIIMS). Once approved, TRA's will be 
undertaken. 


| À TRA was undertaken on NCMS by | 
| Immigration, Refugee and Citizenship Canada in | 
1998 prior to the creation of the CBSA. - 
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information | 
Management / - 
Program Areas 


| Record retention | As part of the exercise mentioned in #3, all 
| schedules forthe CBSA — | current legacy systems without 

| databases described | decommissioning date are being reviewed to 
| above have not yet been | ensure compliance with privacy, information 
| applied. management and IT management principles. 


| On-going 


: During this review, purge dates will be 
examined and plans put in place to ensure data 


is stored and destroyed properly. 
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Annex D: CBSA Governance Model — Access and u 
elligence Information System 


se of the Automated Criminal 


PURPOSE 


The purpose of the Governance Model document is to provide an overview for how the Canada 
Border Services Agency (CBSA) will support the Criminal Intelligence Services Canada (CISC) 
national strategy to combat serious and organized crime including the lawful authorities for the 
Agency to access; request and use the data contained in the Automated Criminal Intelligence 
information System (ACIIS). 


EXECUTIVE SUMMARY 


The CBSA and CISC are significant contributors in the fight against serious and organized crime in 
Canada. On August 22, 2014, both agencies entered into a "Statement of Cooperation" and 
agreed to the "Adopted Resolution" confirming their commitment to enhance information 
sharing for the purposes of improving the detection and dismantling of serious and organized 
crime in Canada. CBSA access to ACIIS is facilitated by a Memorandum of Understanding (MOU) 
which defines the parties’ responsibilities regarding access and use of ACIIS and the framework 
for cooperation. ACHS enhances the CBSA's ability to identify persons and their networks 
involved in orchestrating and facilitating smuggling operations undermining the integrity of the 
border and threaten the security and prosperity of Canada. Obvious benefits of the CBSA 
partnership with the CISC are: 


e OFFICER SAFETY: access to information previously unavailable warning of potentially 
dangerous encounters placing officers at risk; 


e INTELLIGENCE DEVELOPMENT: increase inter-agency cooperation to identify modus 
operandi, trends, new and emerging threats, and additional leads supporting 
investigations; and, 


e DE-CONFLICTION: advance knowledge of on-going investigations allowing greater 
opportunities to collaborate and leverage resources related to subjects of mutual 
interest. 


Section 4 of the Privacy Act permits the CBSA to collect information contained in ACIIS for the 
purpose of carrying out a lawful investigation, if the request specifies the purpose and describes 
the information to be disclosed as it relates directly to an operating program or activity of the 
institution. Paragraph 8(2)(a) of the Privacy Act permits the CBSA to use information collected 
from the ACIIS for a purpose directly connected to serious and organized crime. CBSA purposes 
which directly involve law enforcement include: criminal enforcement of offences under various 
CBSA statutes; intelligence to identify serious border criminality; and inland immigration 
enforcement to detect and remove serious criminals from Canada. If additional information is 
required CBSA officers will seek written permission from the contributing law enforcement 
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agency to support an investigation of a border related crime(s) under paragraph 8(2Y(e) of the 
Privacy Act. 


CANADA BORDER SERVICES AGENCY RESPONSIBILITIES 


The Agency is responsible for providing integrated border services that support national security 
and public safety priorities and facilitate the free flow of persons and goods, including animais 
and plants, that meet ail requirements under the program legislation. The Agency's legislative, 
regulatory and partnership responsibilities include the following: 


e administering legislation that governs the admissibility of people and goods, plants and 
animals into and out of Canada; 
+ detaining those people who may pose a threat to Canada; 
e removing people who are inadmissible to Canada, including those involved in terrorism, 
organized crime, war crimes or crimes against humanity; 
e  interdicting illegal goods entering or leaving the country; 
+ protecting food safety, plant and animal health, and Canada's resource base; 
* promoting Canadian business and economic benefits by administering trade legislation 
and trade agreements to meet Canada's international obligations; 
e enforcing trade remedies that help protect Canadian industry from the injurious effects 
of dumped and subsidized imported goods; 
* administering a fair and impartial redress mechanism; 
e promoting Canadian interests in various international forums and with international 
organizations; and 
e collecting applicable duties and taxes on imported goods. = 


CBSA Authority to Access and Use ACIIS Data 


The lawful authorities for the CBSA's Investigative Body Designated (IBD) program areas to 
access and use ACIIS data in support of investigations enforcing legislation dealing with border 
related crime(s) are: 


e Section 4 of the Privacy Act permits the collection of personal information by a 
government institution as long as it relates directly to an operating program or activity 
of the institution. 


CBSA Act: 

e Paragraph 5(1)(a) of the CBSA Act, the CBSA's mandate is to provide integrated border 
services that support national security and public safety priorities and facilitate the free 
flow of persons and goods that meet all requirements under its program legislation, by 
supporting the administration or enforcement of its program legislation. 


è Subsectic on 7(b) of the Privacy Act requires that “personal information" under the 
control ofa government institution shall not.. .be used by the institution except... (b) f 
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SU UN purpose for which the information may be disclosed to the institution under subsection 
| 8(2) of the Privacy Act; 

e Paragraph 8(2)(a) of the Privacy Act permits CBSA officials who have Investigative Body 
status to access personal information in ACIIS if its purpose is consistent with the reason 
why the information was initially collected; 

+ Paragraph 8(2)(e) of the Privacy Act, provides that a federal government institution may 
disclose information, upon request, to an investigative body where the information 
relates to a lawful investigation: 


(institutions with Investigative Body Designated {IBD} status are listed in Schedule H of 
the Privacy Regulations.) 


Measures Act. 


immigration and Refugee Protection Act (IBD Designation): 
* Subsection 6(1) of the immigration and Refugee Protection Act (IRPA) provides the 
authority to designate officers to carry out any purpose of any provision of this Act. 


ə Pursuant to paragraph 3(1)(h), one of the objectives of the IRPA is to protect public 
Qm health and safety and to maintain the security of Canadian society. 


Privacy Regulations (IBD Designation) CBSA Programs Areas 


Criminal Investigations Division {CID}: 

Iniand Enforcement Operations (EO); 

National Security and Screening Division (NSSD)*; 
Intelligence Operations and Analysis Division (IOAD); and, 
National Targeting Centre Targeting Intelligence (NTC TI}*. 


wb w ON op 


Within each 1BD program area there will be a limited group of authorized personnel who will 
have the ability to conduct queries in ACIIS for intelligence and investigative purposes. 


(*it should be noted that Schedule II of the Privacy Regulations lists three divisions within the 
CBSA with IBD status. Due to re-engineering of the CBSA's organizational structure there are 
now five IBD program areas. The Intelligence and Targeting Operations Division has been 
restructured into three separate IBD program areas comprising of Intelligence Operations and 
Analysis Division, National Targeting Centre and National Security Screening Division. Schedule il 
of the Privacy Regulations will require an update reflecting the five IBD program areas.) 
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The CBSA has access to unique information collected during the processing of persons and — 
goods arriving or departing from Canada. information pertaining to persons involved in a 

serious and organized crime can be shared with law enforcement partner agencies to assist an 

ongoing investigation. Examples of the types of criminal activities an organized crime group 

may be involved are: drug smuggling, human trafficking and money laundering which are 

indictable offences. An organized crime group is made up of three or more persons working in 
collaboration to facilitate a criminal activity from which they gain a personal benefit. CBSA 

information analyzed in conjunction with ACIIS data may assist to develop additional leads into a 

border related crime or a police investigation for organized crime activity. 


CRIMINAL INTELLIGENCE SERVICE CANADA MANDATE 


The mandate of the CISC is to lead the strategic and operational intelligence effort to combat 
organized crime and serious crime across Canada and help ensure the timely production and 


exchange of criminal information and intelligence among the law enforcement community, in 
support of the Canadian Law Enforcement Strategy to combat organized crime. 


criminal organizations and their activities with the goal of providing actionable intelligence 

aimed at more effectively controlling, reducing and preventing organized and serious crime in 

all communities across Canada. The CISC employs an intelligence-led approach to operations 

which serves to assist in the development and implementation of effective public policy, crime | | 
reduction and prevention strategies. Rd 
Automated Criminal Intelligence Information System (ACIIS) 

ACIIS is the Canadian law enforcement community's national database containing criminal 
information and intelligence on organized and serious crime. Information contained within 
ACIIS is used in the production of the National Threat Assessment (NTA) that enhances the 
ability of law enforcement and government to develop strategies and policies to deal with 
organized and serious crime. ACIIS has become the information sharing tool used by the 
Canadian Integrated Response to Organized Crime (CIROC) for operationalizing National 
Targeting Enforcement Priorities (NTEPs) and the NTA. 


ACIIS Data 


In general terms, ACIIS contains data on criminals or suspected criminals and businesses or 
organizations if they are involved in organized crime, involved in serious crime that may affect 
more than one jurisdiction, or involved in specific activity as acknowledged and identified by 
the Director General of CISC. 
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THIRD PARTY RULE AND THE CONSISTENT USE REQUIREMENT 


The CBSA will request permission, in writing, from the contributing law enforcement agency to 
use the data contained in ACIIS to investigate and enforce a border related crime. Paragraph 
use elements are identified and articulated by the CBSA in all requests seeking permission to use 
ACIIS data. All requests made by the CBSA will include: 


the information the CBSA is seeking; 

authority to request and use information; 

legislation(s) that the information requested will assist to enforce; and, 

notify the contributing law enforcement agency if information will be shared outside the 
CBSA. 


The mandate and responsibilities of all five IBD program areas are detailed in the proceeding 
sections. Examples demonstrating consistent use requirements, as set out in paragraphs 
8(2)(a)&(e) of the Privacy Act, are also provided for reference purposes. The CBSA recognizes 
that having IBD status does not grant access to the ACIS system; the CISC and Provincial 
Bureaus hold authority to approve or deny access of this system. 


CBSA ACIS REQUIREMENTS BY PROGRAM 


Criminal investigations Division: 


The mandate of the Criminal Investigations Division (CID) is to support the CBSA's public safety 
and economic prosperity objectives by investigating and pursuing prosecution of those who 
commit criminal offences against specific border legislation. 


CID investigates fraud and smuggling offences under the Customs Act and the IRPA as well as 
offences under or related to an additional 90 federal statutes that the CBSA administers. The 
CBSA's regional criminal investigators are responsible for operational activities including, but not 
limited to: 


ə investigating fraudulent activities related to the importation/exportation of goods and 
the movement of people; 

+ reviewing leads, researching, gathering evidence; 

e executing search warrants; 

e preparing and serving documents (corrective, civil, criminal); 

e assisting foreign customs administrations with their investigation of customs offences 
via Customs Mutual Assistant Agreements, Mutual Legal Assistant Treaties; and, 

« supporting criminal prosecutions (preparing Crown Briefs, recommending specific 
charges, assisting the Public Prosecution Service of Canada). 


Regional investigators continue to investigate trans- jurisdictional smuggling operations planned 
by criminal organizations. These investigations often result in the identification of a personís) 
and/or businesses operating across Canada; requiring greater coordination amongst federal, 
rts the access and u 
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data, the information contained in the system will assist in the identification and disruption of 
smuggling organizations. During the course of an investigation CID officers will: 
e query ACIIS as per paragraph 8(2)(a) Privacy Act; 
e contact the contributing law enforcement agency advising of CBSA interest and seek 
permission to use information contained in ACIIS as per subsection 7(b) and paragraph 
8(2)(e) of the Privacy Act; and, 
e use the information to enforce the Customs Act and the IRPA. 


Data Elements: 


"Vehicle Record Field" contains information valuable to CID investigators as the information can 
confirm licence plate information, make and model of vehicle(s) and associations to a person or 
business. 


"Types of individuals" field contains information investigators can use to develop additional 

investigative leads. The data may identify activities and associations unknown to the CBSA such 

as associations to a gang, suspect activities and linkages to organizations. Criminal investigators 

are required to attend interviews at ports of entry, at a public and private locations, execute 

warrants, interview and arrest and transport person(s) in the custody of the CBSA. Access to : : 
"types of individual data" will assist to anticipate and identify violent behaviours and those of Sua 
associates that may be encountered in the dwelling during the course of the investigation; 

recognizing the importance of officer safety. 


Further examples of ACIIS data elements supporting CID investigators are detailed in the Privacy 
impact Assessment. 


The mandate of the CBSA Inland Enforcement Operations (IEO) is to enforce the regulatory 
provisions of the /RPA related to immigration investigations, hearings, detentions and removals 
of inadmissible persons in Canada. Inland enforcement officers support the objectives of IEO 
and enforce the regulatory provisions of /RPA by: 


+ identification of individuals inadmissible to Canada under the IRPA, including persons 
inadmissible due to serious and organized criminality; 

e conduct interviews and prepare inadmissibility reports; 

e issue removal orders; 

* refer inadmissibility reports for review/decision to the Immigration and Refugee Board 
(IRB); 

e arrest and detain inadmissible persons who are a flight risk; 

e arrest and detain inadmissible persons who are or may be a danger to the public; 

etention; 
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e investigate the whereabouts of absconders; 
e arrange the removal of inadmissible persons; and, 
* conduct escorted removals of individuals to their countries of origin. 


IEO also holds responsibility for national operational planning and case management of irregular 
migrant arrivals. During these specific cases the IEO ensures the effected regional office(s) has 
access to all available information and resources to appropriately assess and make a 
determination for admissibility to Canada. Support and functional guidance is provided to the 
effected CBSA regional offices in making a determination for inadmissibility based on linkages to 
serious criminality, organized crime, war crimes/crimes against humanity and national security 
concerns. 


The IEO supports the access and use of ACIIS data; information contained in the system will 
support the determination for admissibility purposes. The information will assist enforcement 
officers to locate individuals avoiding CBSA enforcement action and the subsequent removal 
process. inland enforcement officers using ACIIS will: 
e query ACIIS as per paragraph 8(2)(a) Privacy Act; 
* contact the contributing law enforcement agency advising of CBSA interest and seek 
permission to use information contained in ACIIS as per subsection 7(b) and paragraph 
8(2Ye) of the Privacy Act; and, 


e use the information to enforce the IRPA and the regulations. 
Data Elements: 


"Person Record Field" contains information inland enforcement officers may use to support the 
removal of a person inadmissible to Canada. The data contained in the Person Record Field will 
assist officers to confirm the identity and any linkages to criminality, supporting the 
enforcement and subsequent removal of an individual for inadmissibility purposes. 


"Telecommunications Record Field" contains data which may assist inland enforcement officers 
locate, detain and or arrest absconders from Canada. Access and use of this information will 
allow inland enforcement officers further opportunities to locate a person avoiding the removal 
process. Inland enforcement officers are required to assess risk to officer safety prior to any 
enforcement actions and during inland enforcement investigations. Access to ACIIS data may 
mitigate or notify CBSA officers of any safety concerns unknown to the CBSA. 


Further examples of ACIIS data elements supporting IEO investigators are detailed in the Privacy 
impact Assessment. 
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The National Security Screening Division (NSSD) of International Region, Operations Branch, is et 
responsible for the screening of temporary and permanent residence applicants seeking entry to 
Canada as well as in-Canada refugee claimants. The NSSD is responsible for conducting /RPA 
screenings of persons for potential inadmissibility for organized crime, crimes against humanity 
and genocide, terrorism, espionage and subversion. To achieve these objectives, NSSD ensures 
the timely delivery of security screening products and services to clients both internal and 
external to the CBSA. Criminal organizations have become increasingly more sophisticated; 
operating beyond traditional borders and representing enforcement challenges to traditional 
law enforcement agencies. Only through collaborative efforts can law enforcement agencies 


organizations targeting Canada. 


Access to the ACIIS data will allow NSSD officers to conduct comprehensive and timely security 
screenings of refugee claimants physically located in Canada, with linkages to organized crime 
and represent a public safety concern. NSSD officers provide recommendation to CBSA 
enforcement officers of persons with linkages to serious and organized crime to be removed 
from Canada. NSSD officers using ACIIS will: 


e query ACIIS as per paragraph 8(2\a) Privacy Act; 

e contact the contributing law enforcement agency advising of CBSA interest and seek 
permission to use information contained in ACIIS as per subsection 7(b) and paragraph 
8(2Ye) of the Privacy Act; and, 

e use the information to enforce the IRPA and the regulations. 


Data Elements: 


"Person Record Field" contains data which may assist to screen refugee claimants residing in 
Canada, for linkages to serious and organized crime activities. During the screening process, 
NSSD officers routinely encounter cases involving applicants suspected of supporting 
transnational criminal organizations - MEM 


the applicant's association to proceeds of crime activities or identifying 
linkages to organized crime supports NSSD officers recommendations into further investigations 
into the activities of the refugee claimant for linkages to organized crime which may result in the 
determination of inadmissibility. 
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Further examples of the ACIIS data elements supporting the NSSD officers are detailed in the 
Privacy Impact Assessment. 


intelligence Operations and Analysis Division: 


The Intelligence Operations and Analysis Division (IOAD) holds responsibility for the production 
of operational, strategic and tactical intelligence for the purpose of strengthening the 
effectiveness, efficiency and the delivery of the integrated intelligence and enforcement 
priorities of the CBSA. The IOAD collects intelligence from multiple sources and performs 
analysis of the data for the purposes of production and the dissemination of strategic, 
operational and tactical intelligence products and services. Other key functions are: 


functional intelligence support; 
guidance to decision-makers for the purposes of proper risk management based on the 
current threat environment; 

e timely distribution of intelligence products and delivery of services to internal and 
external stakeholders and clients. 


Access to ACIIS will provide additional opportunities for IOAD analysts to collect data to identify 
rms the current threat environment and the development of mitigation strategies supporting border 
| integrity. IOAD officers will use ACIIS data supporting CBSA regional intelligence offices and 
their operations through the development of intelligence products identifying the activities of 
national and transnational organizations. IOAD officers using ACIIS will: 


query ACIIS as per paragraph 8(2)(a) Privacy Act; 
contact the contributing law enforcement agency advising of CBSA interest and seek 
permission to use information contained in ACIIS as per subsection 7(b) and paragraph 
8(2)(e) of the Privacy Act; and, 

e use the information to enforce the Customs Act and the IRPA. 


Data Elements: 
"Person Record Field" contains data IOAD analysts may use to develop intelligence and leads 


identifying companies, vehicles and associates unknown to a law enforcement partner agency 
involved in an active investigation. 


Canada Border Services Agency 
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"Transportation Record Field" contains data that can be analysed and developed for the 
purposes of issuing lookouts on vehicles associated to human smuggling operations or the 
transportation of crime guns into Canada. The information collected by CBSA from border 
enforcement operations can be used to support multi-agency enforcement operations. 


Further examples of the ACIIS data elements supporting the IOAD analysts are detailed in the 
Privacy impact Assessment. 


National Targeting Centre: 


At this time, the CISC will not grant the National Targeting Centre (NTC) access to ACIIS. 
However, after the one year review the National Executive Committee may reassess the 
recommendation for possible inclusion of the NTC. 
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Annex E — CBSA — CISC Statement of Cooperation 
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Statement of Cooperation 


Between 
The Canada Border Services Agency 
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| | CRSA IST à 004 
| CBSA PPU 061 
Mr. Martin Bolduc, Vice Presi dent, Programs 


| Mr. Dan Proulx, ATI and Privacy Director 


aa priver’s s Licence and Eliharicad identification Card ns Lise oF EDL “date by the t m 

which is a collaborative program between the Canada Border Services Agency (CBSA) and three 
participating provinces: Ontario, Manitoba and British Columbia. A fourth province, Quebec, also initially 
participated but discontinued the availability of a Quebec Enhanced Driver's Licence (EDL) to new 
applicants in October 2014. Quebec EDLs currently in circulation will remain active until they expire, and 
as such, are out for scope for this addendum. These provinces earlier agreed to make available enhanced 
documents (such as a Drivers Licence or an Identification Card) that meets the requirements of the 
Western Hemisphere Travel Initiative, allowing Canadian citizens to use the identification to facilitate 
land or water travel between Canada and the United States (U.S.). 


Personal information is collected by the provinces and provided to the CBSA to enable query access by 
U.S. Customs and Border Protection in the event that a Canadian presents their card as identification at a 
land/water Port of Entry. Historically, the EDLs/ Enhanced Identification Cards {E (EICs) were only available 
for use to enter the U.S. The CBSA's Border Services Officers (BSO) did not have query access to the 
database to verify the validity of the documents, and accepting them as identification to confirm 
citizenship for re-entry was at the discretion of the BSO. The CBSA has undertaken the policy and 
technology work to permit BSOs to have access to the CBSA's EDL database and equipped select Ports of 
Entry with Radio Frequency Identification (RFID) abilities to read the card. Ports of Entry that are not 
RFID-enabled will still be able to scan/swipe the cards and access the CBSA database. It should be noted 
that CBSA BSOs have always had access to the Lost Stolen Fraudulent Document Database (LSFD) module 

within the Field Operations Support System (FOSS), which is now the Global Case Management System 
(GCMS). 


It is expected that this information will become available to CBSA BSOs in October 2017. 


_ Protecting your Personal information 
The following personal information elements are managed by the Traveller Programs — Program and Policy 
| Management: 
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| Transmitted by the province to the CBSA when the EDL / EIC is issued: 


+ Name (Given (First) Name and Surname (Last)) | 

e Birth date | 

* Biographical information (Gender) 

+ Identifying Numbers (Restriction and Endorsement Codes, Tag Identification Number (TID), Optical 
Character Recognition unique identifier (Encoded Document Number (EDN)) 

* Radio Frequency Identification (RFID) unique identifier ( ID) 

* Validity Dates (Issue and Expiry Dates) 

* 

* 
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Visual image of EDL holder 
Citizenship of Individual 
ə  Licence/Card Status 
* issuing Country 
e Issuing Jurisdiction (province) 
| + Document Type 
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| Available on the card when used by the holder to cross at a land / water Port of Entry: 


+ Name 

Address 

Birth Date 

Driver Licence Number 

Driver Licence Class 

Validity Dates (Issue and Expiry Dates) 

Picture of Entitled Holder 

| Biographical Information (Height, Weight, Eye Colour, Hair Colour, Gender) 
: RFID chip (embedded) | 
| Citizenship (denoted by the “C”) | 
: e Signature of EDL holder | 
identifying Numbers (Restriction and Endorsement Codes, Tag Identification Number (TID), Optical | 
| Character Recognition unique identifier (Encoded Document Number (EDN)) | 
* Radio Frequency Identification (RFID) unique identifier (ID) 
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> e 9" + è © y 


* 


| There is no intention to change the elements of personal information to be collected, used or disclosed. 
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| ABBREVIATIONS AND ACRONYMS 


Note: Using the table format below, list any abbreviations and acronyms that are used in this report. Expand the list to include 
acronyms specific to the program or initiative, as necessary. 


The following is isa a list of EOM SEO and acronyms usedi in this report: 


l AFIS E Automated Fingerprint Identification System [ 
| ATIP i | Access toh r inform ation n and. Privacy RS MEM | 
r3» ns am ritish Columbie bia Hi n -——" —— | 
ra ks Br “Border Crossing | Information SR a nn ed ust ag t deae t Adi a 
= . - o se “todas neo ur es ee | 
AR HE T EN obe dui dE x | e er 


CPIC | Ca nadian Police Information Centre (cP C) 
CSO | Client Status Query | 
a — nied m MU) Ku —29Ó—— = es "—— 
| EDL - Enhanced Driver's Licétice (please ni note: = use eof thea acronym | EDL i in víhis- 


l document refers to both EDLs and EICs unless specified otherwise) 

EDN _| Encoded Document Number — mnm 
ae | Enhanced identification carg = 
Foss e E 2 : Opens Seed ose — pu a 


| GCMS | Global Case Management System. 3 
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| ID | identification 


——————— mai 
: {DS | Intrusion Detection System 


i Interdiction and Border Alerting System | | 


i Insurance Corporation of British Columbia 
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| Integrated Customs Enforcement System 
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| IRPA “Immigration and Refugee Protection Act 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Use of Enhanced Driver's Licence and Enhanced Identification Card Information by the Canada | PIA 
Border Services nd 


| Rcs —— —À eo = a 
Lot ~ EN Government pe mem | E 9À E 
- CREER: hu Sa —X———S ee 
| PIB | Personal Information Bank | 

ne nn - | vais ien a iet ———— ———ssn eee 
L3 a 3 ; e EE Re —— € eat T eet 
r7 — ree » m E E — ee eee ERR — tals 
y mm —À $ : Te CT IER 
SAAQ | Société de l'assurance automobile du Québec 
| : —— Oe = je aE a ee d 
Ej - oo Fee ~ — — — M — € — | 
Si sus re € rer ons 
| ana, om mes e: Se See D E Lec qM — 
x s — S Treasury ae PS — Fs née F 
oe E » à Les E "UM CC M M CE T 

| : “pat T 0 ——P/—— 

(TRCS | Telephone Reporting Centre System ——- ng 
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| DEFINITIONS 


This section provides definitions of the terms frequently used in this report: 


| Administrative 
Purpose 


| Consi istent use 


| Personal 
| Information 


| Personal 
Information Bank 


| Radic io Frequency 
identification 
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The ‘Action Plan describes the steps that the PiGEram will take io ades risks that eas pien 
| identified by ATI and Privacy Divisi ion, OPC and TBS. | 
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| The Privacy Act defines an “administrative purpose” to be ieu use e ofa an n individual/s personal 
| information ir ina a decisi ion- making process that directly affects that individual. 


- À consistent use is a use that has a reasonable and ditect connection to the original purbase(s ) for 
| Which the information was obtained or compiled. This means that the original purpose and the 

| proposed purpose are so closely related that the individual would expect that the information 

| would be used for the consistent Purpose, even if the use is ; not Spell ed out. 


: A comparison of personal data obtained from a variety ófs sources, inc luding personal information 
_ banks, for the purpose of making decisions about the individuals to whom the data pertains, Data 
| matching is a specialized activity involving the collection, use and disclosure of personal 

| information that i is subject to the various requirements of the Privacy Act. 


an identifying number, symbol or other particular assigned only to that person. The personal 
- information described in the personal information bank has been used, is being used, or is 
available for an administrative purpose and is under the control ofa government institution. 
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- The Office of the Privacy Commissioner of Canada hee bes " privacy" as ^.. the piste to eu. 

! access to one's person and information about one's self. The right to privacy means that 

| individuals get to decide what and how much information to give up, to whom it is given, and for 
| what uses.' 


- Radio: frequency identification (REI Du unique e identifi er (ID) is the wireless u use wot drone 
| fields to transfer data, for the purposes of automati ically identifying and tracking tags attached to | 
| Objects. CBSA will implement "vicinity" RFID, allowing an RFID chip to be read within 3 — 5 metres | 
_ of an RFID antenna. | 


AR E E EE P in tm t nnan n nnt 
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2 Is a series of annual Treasury Board Secretariat publi tioni in which SNAN institutions are | 
: required to describe their institutions, program responsibilities and information holdings, 

| including PIBs and classes of personal information. The descriptions are to contain sufficient | 
- dari ity and detail to facilitate the exercise of the right of access under the Privacy Act. 


se " a consistent use that was not originally identified in ihe appropriate Personal Information Bak : 
: {PIB} description i in 1 the government institution’ 5 s chapter ir in i Info Source. 
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Information about an identifiable individual as defined in section 3 of the Privacy Act. This 


| definition, although lengthy, is not exhaustive, as indicated by the introductory phrase, "including, 
: without restricting the generality of the foregoing". Information that is not specifically mentioned : 
2 in the list may still be included in the definition of personal information if it qualifies as | 
_ "information about an identifiable individual". 


isa desérigtion of nee ifonnaton that i is t organized and retrievable e iyd a person's name or by 
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CTION 1 - OVERVIEW AND II 


ITA 


Report Objectives 


This report is an addendum to the Privacy Impact Assessment (PIA) for the Enhanced Driver's Licence / 
Enhanced Identification Card Program of the Canada Border Services Agency (CBSA). The objectives of 
this PIA are: 


to review the business processes in order to identify the data flow of personal information; 
to analyze the collection, use, disclosure and retention of personal information; 

to determine if there are any associated privacy risks; and 

to provide recommendations on the mitigation or elimination of the risks. 


* + # 


The information presented in this report follows the Treasury Board of Canada Secretariat Privacy 
impact Assessment policy and guidelines. 


E The restifts at a PIA area s degentes guarantee that privacy i issues have best identified and. 
adequately addressed. 


Government Institution: Canada Border Services Agency 


| Government Official Responsible for the Privacy Head of the government institution / Delegate for 
impact Assessment section 10 of the Privacy Act 


| Mr. Martin Bolduc Mr. Dan Proulx 
CBSA, Vice President, Programs CBSA Access to Information and Privacy: Director 2 


jl ————————————————————————— —— HERRERA — (——À 


Port of Entry Operations: Admissibility Determination: Highway Mode 


Through the Admissibility Determination Program activity, the CBSA develops, maintains and administers 

the policies, regulations, procedures and partnerships that enable border services officers to intercept 
| people and goods that are inadmissible to Canada and to process legitimate people and goods seeking entry | 
| into Canada within n established service standards. 


Use of Enhanced Driver's Licence and Enhanced Identification Card Information by the Canada PIA 
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Description: Describes records related to the EDL/EIC Program, which is a voluntary program available to | 
eligible Canadians who reside in a province or territory where the Program is offered by that Province or _ 
Territory. May include records identified in the electronic systems used to administer or manage the | 
informaiton including the Canada Border Services Agency (CBSA) EDL/EIC database and the CBSA Lost | 
Stolen Fraudulent Document Database (LSFD), which is a module of the CBSA Interdiction and Border - | 
Alerting System (IBAS). | 
i 
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Class of Record Number: | CBSA IST 004 


[X] Proposal to modify an existing Personal Information Bank - identify PIB registration number and current 
description: 


e: 
Lad 


PIA 


Use of Enhanced Driver's Licence and Enhanced Identification Card Information by the Canada 
Border Services Agency 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


(Modifications to the existing PIB are shown through strikethrough (remove) and red (add) text.) 


coe This ba nk descri bes personal T x is collected f from a provincia alc or terri itori 7 pouce program and used in 


information i in its EDLC database. to enable Border Servi ces Officers to verify J the validity of the ocument Land thel 

traveller, when itis presented for cross border travel. In addition, the information will be avail able ee c oy db asist | es 
(U.S. ue customs and Border Protection uad n determining the sae Sy of an EDL holder f for entry into h y 
ao elei iube rabat mne CPE PLE o ah ele a a RD. pit CN PNY à da: th. ch EY - xs ic See aes a tA c E Ii cn d T D hc * wa 
SA D a Se Fett à ath tae See RS da di ie ME ER e ao ITIN (1 i ia CE Aa » > à on tat Log CPE j ca CCCPEPEP 


BorderSeryices-Agency-(CBSAY, U. s. CBP will use this information to verify the validity of the card, as well z as the citizenship. and 
identity o of the holder. The personal information collected from by participating provinces andterritories may include: Full Name 


m rst name, last did Bith date, Gende, (ue die Rad mage ee Hig Merian n Bundes 2 Optical 


ince; ? Ex ‘pirat tion py anc dali Date. 


Purpose: Tbe iege information: rei ied to the EDL/ | Pu vil be: used to o facili tate cross horder travel at 

iacian land ports of entry. To facilita te thi on wil be made avails ble for query purposes: to US. 
CBP and the CBSA. i dto-administerthe EDI feiCinformati the-CanadaBorder Services Acenev (CRSA) 
inc -CRR- Personal information is collected d pursuant t tos ect ons 


4121, 18(1] and 19/1) 
E ? E 
Consistent Uses: The vue may ybe used: or r disclosed for the e folowing pu purposes: administration, Saen $9 
evaluati on of the EDL/EIC Program 


Dm Mad. r o ang sn 


Ts 2; Fa Peery, B. Li Fr LM H PSS i i 35 Fe E f b f edo HOS La zx. rx ER RAE ORE EF E e + rr Ac We E 
TETERA AER = civ ENS Eee: Dati re pe à T 


'FOtectiord-wnhen-seeking-entey-inte-the-Enited State LÉ For the details © on IT S CBP' $ : handling of the information collected upon 
enin into thel U. s. refer! to the Border cocaine Information System of Records Notice oe aN 73, e 43, 457. Province(s ) or 
ida did joco P Personal nformatie ion may be shared between the: canad a-Bord rvices-Agency LCBSA: 


ioi cal Character Recognition u unique à identifier sr (also referred t toas i Encoded B Bocument Number EON, dn issuance date, 
Document type (EDL or EIC), Licence Issuing Jurisdiction (PT), issuing Country as well as the reason code (Lost/stolen issued, 
lost/stolen blank card, cancelled/revoked, fraudulently issued/obtained, etc.) may be shared with 3y provinces/territories where 
see occur to thes status of the EDL. | n n these insta nces, the provinces/territori es are responsible to gather and send to the 

= 3 vices Agencyt tst i lent-L SF) EDLs, EDLS where the holder has deceased, 


| and EDLs that. are no longer valid ü. e. cancelled]. 

| Retention and Disposal Standards: EDLs/EICs are retained by the Canada-Boc ices-Agency-(CBSAS as long as they are 

| deemed to be active by the province or territory that issued them. When < an | EDL/E) EIC i is deemed to be inactive (expired, lost, stolen 
surrendered, no longer valid, cancelled, Taudulentiy ol obtained, holder decensed by: the pon 9 or emo that e it, the 
province or territory notifies the canada-Border-s Agency CBSA}. The Canada-Border-Seryi Bey 
EDL/EIC records for two (2) years following the last administrative action (i.e. when the. conada-Border-Seryices-Age 
advised that the card is no longer active for border-crossing purposes). The information is then destroyed according t to jthe 
Government of Ca nada’ s secure disposal requirements. 

: RDA i Number: s AGN : iene hu 
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Use of Enhanced Driver's Licence and Enhanced Identification Card Information by the Canada PIA 


Border Services Agenty 


“Enabling authority for the use, collection and disclosure of informat! on bu the CBSA is the migration: and 
Refugee Protection Act, sections 4(2), 18(1) and 19(1). 


4. (2) The Minister of Public Safety and Emergency Preparedness is responsible for the administration of. 
this Act as it relates to 


(a) examinations at ports of entry; 
(b) the enforcement of this Act, including arrest, detention and removal; 


(c) the establishment of policies respecting the enforcement of this Act and inadmissibility on grounds of 
security, organized criminality or violating human or international rights; or 


(d) declarations referred to in section 42.1. 


18 (1) Every person seeking to enter Canada must appear for an examination to determine whether that 
person has a right to enter Canada or is or may become authorized to enter and remain in Canada. 


i 


19 (1) Every Canadian citizen within the meaning of the Citizenship Act and every person registered as an 
Indian under the indian Act has the right to enter and remain in Canada in accordance with this Act, and an 
officer shall allow the person to enter Canada if satisfied following an examination on their entry that the 
person is a citizen or registered Indian. 


Enabling authority is also found in the Customs Act, section 11. 


11 (1) Subject to this section, every person arriving in Canada shall, except in such circumstances and 
subject to such conditions as may be prescribed, enter Canada only at a customs office designated for that | 
purpose that is open for business and without delay present himself or herself to an officer and answer 
truthfully any questions asked by the officer in the performance of his or her duties under this or any other 
Act of Parliament. | 


(2) Subsection (1) does not apply to any person who has presented himself or herself outside Canada at a 
customs ue d dd for that t purpose and hasn not ou hs at ay other is enor to 


officer. 


{3} Subject to this section, every person in charge of a conveyance arriving in Canada shall, except in such 
circumstances and subject to such conditions as may be prescribed, ensure that the passengers and crew 
are forthwith on arrival in Canada transported to a customs office referred to in subsection (1). 


(4) Subsection (3) does not apply to any person in charge of a conveyance transporting passengers and 
crew all of whom have presented themselves outside Canada at a customs office designated for that 
purpose and have not subsequently stopped at any other place prior to their arrival in Canada unless an 
officer requires that person to comply therewith. 


(5) Subsections (1) and (3) do not apply to any person who enters Canadian waters, including the inland 
waters, or the airspace over Canada while proceeding directly from one place outside Canada to another : 
place outside Canada unless an officer requires that person to comply with those subsections. 


(6) Subsection (1 on ld does not apply to a person who 
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(a) holds an authorization issued by the Minister under subsection 11.1(1) to present himself or herself in a 
prescribed alternative manner and who presents himself or herself in the manner authorized for that | 
person; or 


(b) is a member of a prescribed class of persons authorized by regulations made under subsection 11. 1(3) 
to present himself or herself in a prescribed alternative manner and who presents himself or herself i inthe 
manner authorized for that class. 


|. (7) Notwithstanding that a person holds an authorization under subsection 11.1(1) or is authorized under 
| the regulations made under subsection 11.1(3), an officer may require a person to present himself or 
| herself in accordance with subsection (1). 
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| In 2008, this initiative had two PIAs completed: January 2008 focussed on the. pi loted roll-out ofthe - 

| initiative and December 2008 assessed the wider scale roll-out as well as addressing the privacy concerns 
| detailed in a joint resolution issued February 5, 2008 by Canada's Federal-Provincial-Territorial Privacy 
| 


Commissioners. 

Currently, there are three provinces issuing EDLs: Ontario, Manitoba and British Columbia. Canadian EDLs 
can be used by a Canadian to enter into the U.S. The CBSA hosts the secure database required to verify the 
EDL/EIC and facilitates the transmission of the traveller information to U.S. CBP officials. Canadian BSOs 
have no access to the information from the EDL/EIC database at this time. 


| This PIA will focus on the implementation of RFID readers at select Canadian Ports of Entry (POE). This 
| technology will allow CBSA BSOs to retrieve the EDL/EIC information stored in the secure database when a 
cardholder r seeks tui to canara AS Quebec closed their EDL prograrn to new applicants in October 2014, 
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| Program or activity that does NOT involve a decision about an identifiable individual B | 
| Personal information is used strictly for statistical / research or evaluations including mailing list where no | 
decisions are made that directly have an impact on an identifiable individual. 
1 
| The Directive on PIA applies to administrative use of personal information. The Policy on Privacy Protection 
requires that government institutions establish an institutional Privacy Protocol for addressing non- 
| administrative uses of personal information. The CBSA Privacy Protocol must be implemented. Contact the 
| ATi and Privacy Division before continuing the PIA. 


| Administration of Programs / Activity and Services 

: Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility 
for programs including authentication for accessing programs/services, administering program payments, 
overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc...). 


| Compliance / Regulatory investigations and enforcement 


Personal information is used for purposes of detecting fraud or investigating possible abuses within 
programs where the consequences are administrative in nature (i.e. a fine, discontinuation of benefits, audit j 
of personal income tax file or deportation in cases where national security and/or criminal enforcement is 
not an issue). 
| Criminal investigation and enforcement / National Security EE 
Personal information is used for investigations and enforcement in a criminal context (i.e. decisions may lead 
to criminal charges/sanctions or deportation for reasons of national security or criminal enforcement). 


—— V ORARE, 


! Details: Information collected by the provinces strictly for the issuance of EDLs and provided to the CBSA 


| would not be used for any other purpose. However, at the point of border crossing, the information would 

: form a part of the Traveller Processing records. Those records do have the potential to be used to enforce 

: residency requirements under the immigration and Refugee Protection Act, import / export limits under the 
| Customs Act, criminal investigations / security (where applicable) and potentially, provided to Other 

| Government Departments (OGDs) under information sharing agreements, for the enforcement of programs 
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individual or provided with the consent of the individual for disclosure under an authorized 
program. For exampie: General licensing, or renewal of travel documents or identity 
documents. 


i 
H 
i 


i 
Personal information, with no contextual sensitivities after the time of collection, provided by [ ]2 
the individual with consent to also use personal information held by another source. For | 
example: An application process with a requirement for independent verification of certain 
non-sensitive factual details. | 

i 

: 


Social insurance Number, medical, financial or other sensitive personal information and/or the 3 
context surrounding the personal information is sensitive. Personal information of minors or 

incompetent individuals or involving a representative acting on behalf of the individual. For 

example: Àn individual's name on a particular list may reveal sensitive information on the 

heaith, financial situation, religious or lifestyle choices of that individual. 


Sensitive personal information, including detailed profiles, allegations or suspicions, bodily [4 
samples and/or the context surrounding the personal information is particularly sensitive. For | 
example: Personal information that reveals intimate details on the health, financial situation, 
religious or lifestyle choices of the individual and which, by association, reveals similar details 
about other individuals such as relatives. | 


Details: Collection of the information from the individual is completed by one of the three provinces, in order 

| to issue an EDL/EIC. Once issued, the province provides the CBSA with: full name (first, last), birth date, - 
gender, digital image (holder's photo), citizenship (must be Canadian), licence issuing jurisdiction (province), | 
issuing country (Canada), EDL issuance date, EDL expiry date, licence/card status (i.e., issued, lost, stolen, etc), 


In addition to the availability of verification information in the CBSA database, the EDLs/EICs 
themselves have personal information available directly on the document. This information is used 
to verify the validity of the document. 
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Name — 
Address 
Birth Date 


Driver Licence Number 
Driver Licence Class 

Issue and Expiry Dates 
Picture of Entitled Holder 


Height, Weight, Eye Colour, Hair Colour, 


RFID chip (embedded) 
nes ee i the "C" 


Program or Activity Partners and Private Sector Involvement 


Within the CBSA (amongst one or more programs within the CBSA) 


With other federal institutions 


With other or a combination of federal/ provincial and; or municipal government(s) eS 


Private sector organizations or international ii aes or sib pee 


Details: Information is collected by the three pa 


Gender 


Restriction and Endorsement Codes 


Tag Identification Number (TID), 


Optical Character Recognition 
unique identifier EDN 
RFID unique identifier (ID) 
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Level of Risk 


DJ 1 


rticipating provinces and sent to the CBSA i in order to facilitate 


| use of the records by U.S. CBP, during the border crossing process. With the installation of RFID technology, it is | 


thei intention of the CBSA to make the database information available to CBSA BSOs to enable the use of EDLs 
: by Canadian citizens as proof of identification/evidence of citizenship. 


Duration of the Program or Activity 


One time program or activity 


Level of rísk 


Typically involves offering a one-time support measure in the form of a grant payment as a social support 


mechanism. 


Short-term program 


A program or activity that supports a short-term goal with an established "sunset" date. 


long-term program 
Existing progra m that has been modi fied c or is established with no clear "sunset". 


i9 
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Program Population 
The program affects certain employees for internal administrative purposes. 


The program affects all employees for internal administrative purposes. 


The program affects certain individuals for external administrative purposes. 


The program affects all individuals for external administrative purposes. 


Details: This initiative will affect individuals who hold EDLs/EICs and present themselves at an RFID- enabled 
. POE. As of July 2016, there were more than 500,000 Canadian EDL/EICs in active circulation. This number has 
remained steady since their introduction in 2008/2009. 


Technology and Privacy 


6.1 Does the new or modified program or activity involve the implementation of a new electronic 
system, software or application program including collaborative software (or groupware) that 
is implemented to support the program or activity in terms of the creation, collection or 
handling of personal information? 


6.2. Does the new or modified program or activity require any modifications to IT legacy systems 
and / or services? 


6.3 Doesthe new or modified program or activity involve the implementation of one or more of 
the following technologies: 


> 3. 1 Enhanced identification methods: 


| Details: Currently. U. 5 CBP uses RFID technology tà read EDLs and render the information o on 

| their screens in order to make land border crossing as efficient as possible. It is the intention | 
| of the CBSA to enable technology at select Canadian border crossings, similar to the U.S. in 
that they employ RFID ii at their POEs. 


B | Details: Enabling RFID technology in the travel document is a requirement of the U.S. 
Western Hemisphere Travel Initiative (WHTI) and is not negotiable. 

| While RFID technology is used to transmit the information to the CBSA BSO, it is limited to 

| when the person presents themselves at the land POE. It would not be used by the CBSA as 

| a method of surveillance. It is noteworthy that the EDLs/EICs are issued by the provinces 

| (not the CBSA) enabled with RFID technology and already used by U.S. CBP. The current : 
| changes to the program are to enable use of the card as identification for those returning to : 
_Canada via land POEs. | 


The RFID antenna will be activated when a sensor is triggered by the approach of a vehicle in an 
RFID-enabled primary inspection lane. Once activated, the antenna will read the chip in the 
EDL/EIC, retrieve a unique tag identifier (ID), and transmit it to the CBSA systems. Chips in RFID- 
enabled travel documents that are not acceptable for border crossing will be automatically 
filtered out by CBSA systems. 
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There is no personal information contained within the RFID chip, only a Tag Identification (TID) — 
returned when a card is read matches the embedded TID; and an RFID unique identifier 
containing 96 bits of Os and 1s to retrieve information from the EDL database. 

When the unique tag ID is received by CBSA systems, a process will be activated to send a 
request to the relevant secure database, validated and the corresponding traveller tombstone 
information will be retrieved. The information that is retrieved from the database will present 
the biographic and biometric (photo) information and query results to the BSO. 

In order to reduce the risk of surreptitious location tracking of individuals carrying an EDL, the 
provincial issuing authorities have been advised to issue their EDLs/EICs with a protective 
Sleeve. This sleeve prevents the skimming of data from the RFID tag. Furthermore, RFIDs are 
only readable at a short distance and can only be read by RFID readers when taken out of the 
protective sleeve (the tags are passive and do not transmit information). 

Initially, 13 Canadian land POEs will be enabled with RFID readers. With successful deployment, 
additional POEs may be added. The 13 initial POEs are: 


Additional sites wil be added in future that will function in the same manner as the 13 sites 
above. 


6.3.3 Use of automated personal information analysis, personal information matching and 
knowledge discovery techniques: 


RARARRARAARARANR AMA AR ANE 


_ data matching until an individual uses the EDL/EIC to cross the border at a land POE. At that 
point, the U.S. CBP Officer or the CBSA BSO would review the information presented and 

- compare it with the information contained in the database. The data matching activity is : 
limited to matching the information presented by the traveller on the card to the information | 
| captured in the existing database. The resulting administrative decision would be whether the | 


Personal Information Transmission Level of Risk 


ÉTÉ The personal information is used within a closed system. [11 


No connections to Internet, Intranet ar any other system. Circulation of hardcopy documents is controlled. 
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The personal information is used in system that has connections to at least one other system. 


The personal information is transferred to a portable device or is printed. 


| Details: The EDL-issuing provinces use either MOSeries or IBM 3M WebService to send the EDL data to tt e CBSA 
| encrypted using Public Key Infrastructure -PKI). MQSeries is an International Business Machines Corporation : 
| (IBM) software family whose components are used to tie together other software applications so that they c: can : : 
work together. This type of application is often known as business integration software or middleware. it allows — 
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USB key, CD-Rom, laptop computer, any transfer of the personal information to a different medium. 


The personal information is tra nsmitted using wireless technologies. E 4 


independent and potentially non-concurrent applications on a distributed system to securely comn ae | 
_with each other. 


pa 
to 
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Risk Impact to the CBSA Level of Risk 
Managerial harm. m 
Processes must be reviewed, tools must be changed, change in provider / partner. 
Organizational harm. B 2 
Changes to the organizational structure, changes to the organizations decision-making structure, changes to 


the distribution of responsibilities and accountabilities, changes to the program activity architecture, 
departure of employees, reallocation of HR resources. 


Financial harm. 


Lawsuit, additional moneys required reallocation of financial resources. 


Reputation harm, embarrassment, loss of credibility. X4 


Decreased confidence by the public, elected officials under the spotlight, institution strategic outcome 
compromised, government priority compromised, impact on the Government of Canada Outcome areas. 
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| Details: The personal information collected by the CBSA i is held i in the database to facilitate c cross s border travel. 
A breach of the information could cause concern among EDL/EIC holders (and the general public) regarding the 
ability of the CBSA to safeguard personal information in general. The EDL/EIC data is held in a secure database, 

| and ¢ can only be accessed by authorized users. 


Incorivenie nce. 
-Reputation harm, embarrassment. 
| Financial harm. 
Physica I harm. 
| s D etalls: : While à identity ; theft : apr pears to be possible with even : a | minimal amount of personal info rmati ion, the 
value of the information transmitted for the EDL/EIC process is limited. 
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| SECTION 3 - ANALYSIS OF PERSONAL INFORMATION ELEMENTS 


Personal Information Elements and Sub-elements 


(DUERME 


Category Of Personal Information 
Personal Information 


E 


| Biographical Information | 


| " Day, Month and 
| Year of birth 


_ Element 


MBA III RR B DR rr ITIN LEE LES RES ESS SES TS NT aaa a Ae none 


_ 1) Detailed Physical 


Characteristics 
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_Identifyi ng Numbers 


Individually assigned 


| reference numbers, 
-relatable to an 

| individual through 
| verification in the 

| database. 


Personal Information 


_Sub-Element 


| 1) First name / middle initial | 


/ last name 


| 2) Street ame et street 


| Electronic, from the 
| province and available on 
| the EDL/EIC 


n A—————————————————————————————————Á——————— RR 


| Available only o on nthe 


number / city / province /.- EDL/EIC 


postal code 


D Height - 
Weight 
ud Colour 
Gender 


1) Enhanced Driver's 


| Licence or Enhanced 
| Identification Card 

| Number 

| 2) Optical Character 
| Recognition unique 

| identifier (EDN) 


CEPR nana na nn a 


| Electronic, To the. 


| province and available on 
| the EDL/EIC 


| Genderi iS provided 


f -electronically and held in 
| the database. Other 


biographical elements are 


| available only on the 


EDL/EIC. 


| Electronic, from the 
| province; EDL/EIC Number 
available on the EDL/EIC. 


Purpose / Necessity - 
of Element 


To identify clients in the database a at tthe tim 
| of border crossing. 


| To verify the validity of the card and the 
_ identity of the person crossing the border. 


| This information is viewed by the BSO when 
i the cardi is s presented ata Port of Entry. 


To verity the identity of the person crossing 
(the border. 
| Other than gender, biographical information 
_ is viewed by the BSO when the card is 
presented at a POE. Only gender is recorded 
| in the CBSA databases, unless there was a 
| required referral for intelligence and 
| enforcement. 


| Scan EDL/EIC and retrieve information quickly - 
| and accurately for use by the BSO when the 

| EDL/EIC is presented as identification for 

_ border crossing. 


ER RR e AB RI t E AR AMAA E BS A e e tte i t 


3 
} 


— A ANNA NN EE OE TE 


) 


Use of Enhanced Driver’s Licence and Enhanced Identification Card Information by the Canada 


Border Services Agency 


lex 


VAR A B BIN NANI NN AREA RAT t ttt tet ut ttt e mi me su 


Citizenship of individual 


| Licence Status 


Ne 
CJ 
£o 
m eR 
Eu 
e 
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rU 
SA 
S 
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— 


1) 15 Holders of the card 
must be Canadian 
citizens, therefore it is 
inferred that having 
the card denotes 
| Citizenship. 


(dn addition to deve 
status, EDL can be 
| designated as lost, 
- stolen, fraudulently 
| issued, fraudulently 
| obtained, deceased 
| card holder and/or 
| revoked status. 


TH RE m ————— | CORN AEE E ee nee uncia l PEUT EBEA E E NUR PEENE E c 


bool ind 


1) Dehoted through the 


| capiti "C" on the card. 


[n Card Sus 
2) Card status reason code 


| 
ME 


| 


r Dertratilc: Pu ihe 
| 
| 


Electronic, from the | To varity the validity of the ré. 
province and available on 


| the EDL/EIC. 


| To verify the tdantiy dé the person crossing | 
| | the border. 


| Electronic, fromthe 
| province and available on 
the EDUEIC. 


H 
one uses 


| Tor meet tthe US 5. criteria — an a enhanced 
- border crossing document and verify identity | 
| for re-entry to Canada. | 


Electronic, from the 
province and available on 
the EDL/EIC 


Ve de eee deal e ette e ee eta ————— —— —— SES ES SS 


- Toe ensure onlya active e cards a are re accepted in in 
_ cross border travel. 


province 
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Once the card is read at the border, the information becomes part of a record of passage and 
information related to the border crossing would be considered traveller processing 
information. This information can be stored in one or more CBSA databases: 

+ Integrated Customs Enforcement System (ICES) 
Integrated Primary inspection Line (IPIL) 
Passenger Information System (PAXIS) 
Telephone Reporting Centre System (TRCS) 
Secondary Processing System (SP) 
Passage History Database (PH) 
Occurrence Reporting System (ORS) 
Intelligence Management System (IMS) 
Integrated Border Query (IBQ) 
Canadian Police Information Centre (CPIC) 
National Crime Information Center (NCIC) 
Client Status Query (CSQ) 
Modern War Crimes System {MWCS} 
Secure Tracking System (STS) 
Support System for Intelligence (SSI) 
National Case Management System (NCMS) 
Global Case Management System (GCMS) 
Automated Fingerprint identification System (AFIS) 
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Once the information is entered into CBSA data bases to form a record of entry, 
different retention schedules and disclosures may occur. 
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Interaction with RFID Processor 


RFID Processor (RFID PROC) 


iMetrieve | entity Card tombstone data by RFID tag | Syne HTTP 1 

Retrieve | Identity Card tombstone data by MRZI Sync] HITE] 
i Receive Travel Document queries | 
Route depending on document type and issuer : | 

Ratios | ———— | . io GEC for Trusted Traveler cards (Nexus , FAST) | 
T ut ne Gata hy Be Dag: (Syne) HET io EDL for provincial / territorial EOL and EIC : 

Retrieve | EDLEIC/ Card tombstone data b: Syn " 
Eu M eme E 4 (records held by CBSA) 


Automated Retry 
Format and retum tombstone information to caller 


Rate | Membership isis oy RET ag | Sync | HTIR 3 
Retrieve I Membership infe by! WRZ | [Syns I HFF] 


_ 4.2 Data Flow Iv 


lodel - Table 
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| Provi incial “informatio ion is sent Erom then provinces to d the CBSA arid held i ina database | 
| governments of | to enable verification of the validity of the document and facilitate | 
| Ontario, Manitoba | la nd/water border crossing. 
| and British | For example, Manitoba's Applicant Guide informs applicants that "Your 
| Columbia | personal information will be transmitted by Manitoba Public Insurance to 
2 the CBSA by a secure, encrypted network. x 


eiiis itt d een es dame AAA RAI déén ll ten dnnn nn en ee nena naan mas ane ee een A nn ee ed eee ed este ed ee eee des eee ges een ee Sew ewe eee eee ee rere benne nee sarah 


The indivi dual | At the point of border crossing via land/water POE, the EDL holder presents. 
| (the document to demonstrate their identity. If seeking entry into the U.S. 
| the EDL also identifies thei ir Canadian citizenship. - 


4.3 Internal Use and Disclosure 
Once information becomes traveller processing information (when an individual presents their 
card to re-enter Canada), the information is available for multiple uses. 


RAAT € —— eee RERO ACR AL A UP 


| | Program | | Personal information bank 


| 
RAR RR RSR reste nn ne ess ner nn een nieve e ere TRETEN VO NO Te 
| Traveller Processing t CBSA PPU 1101: The personal information 


collected may include: name, contact information, citizenship, date of 
birth, place of birth, gender, date and time of entry, POE, travel 
document type (e.g., passport) including identification number and 
country of issuance, membership program information — i.e. NEXUS, 
residency, and GCMS ID(Unique Client identifier (UCI)) number. In the 
land mode, passenger vehicle license ens information is collected. 


Traveller: 
Processing 
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Integrated Customs Enforcement System (ICES) mE | 
integrated Primary Inspection Line (IPIL) 
Passenger Information System (PAXIS) | 
Telephone Reporting Centre System (TRCS) 
Secondary Processing System (SP) 

Passage History Database (PH) | 
Occurrence Reporting System (ORS) | 
Intelligence Management System (IMS) 
Integrated Border Query (IBO) 
Global Case Management System (GCMS) 
Canadian Police Information Centre (CPIC) 
National Crime Information Center (NCIC) 

Client Status Query (CSQ) 

Modern War Crimes System (MWCS) 

Secure Tracking System (STS) 

Support System for intelligence {5S1} 

National Case Management System (NCMS), and 
Automated Fingerprint Identification System (AFIS). - 


Daruma 


“Intelligence: | Intelligence Program CBSA PPU 035: Personal information may 
Program | include name, contact information, biographical information, 
| biometric information, citizenship status, credit information, criminal 
| checks/history, date of birth, educational information, financial 
| information, travel/identity documents, personal identification 
: | numbers, physical attributes, place of birth, signature, import/export 
| | information, customs infractions and/or seizures, traveller history and 
| | immigration violations. 
| Personal Information may be stored in the following systems: 
intelligence Management System (IMS) 
the eee pd for 2 es (SSI) 
ne Customs Enforcement System (ICES) 
National Case Management System (NCSM) 
Global Case Management System (GCMS) 
Canadian Police Information Center (CPIC) _ 


———P sees ———————OO—————————————————————— 
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CBSA Uses Permitted by the Provinces 


pue es made to the MOUs hetween the provinces (i.e., BC, Manitoba and Ontario} and the CBSA 
now authorize the CBSA to access the information held in the CBSA’s EDL database on their behalf. The 
limitations on use are expressed in different sections for each of the provinces and the wording may be 
slightly different. The province of Quebec chose not to participate and as such, the CBSA will not access 
information related to holders of the Quebec EDL. The number of active Quebec EDLs will diminish over 
vos time as they expire and cannot be renewed. 
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General 


Once the information forms a record of passage, details regarding the border crossing, including 
identifying references to the EDL itself (ID number, type of document, province of issuance, etc.) are 
entered into relevant CBSA databases and the information can be used for multiple intelligence and 
enforcement purposes. This would be the same process regardless of whether a traveller uses an EDL or 
a passport to enter the U.S. or Canada. 


4.4 External Use and Disclosure 


EDL information is disclosed under limited circumstances; however, once an individual uses their EDL to 
facilitate cross border travel, the information becomes a record of the border crossing. 


4. 5 Retention t Storage 


Canada Border Services Agency Thë CBSA particular Personal information: Bank EDL/EI c information 
cites an RDA of 2015-008. The corresponding retention period 
published in the PIB states, "EDLs/EICs are retained by CBSA as long 
they are deemed to be active by the province or territory that issued 
them. When an EDL/EIC is deemed to be inactive (expired, lost, 
stolen, surrendered, no longer valid, cancelled, fraudulently obtained, 
holder deceased) by the province or territory that issued it, the 
province or territory notifies the CBSA. The CBSA retains EDL/EIC | 
records for two (2) years following the last administrative action (i.e. | 
when the CBSA is advised that the card is no longer active for border- 
crossing purposes). The information is then destroyed according to 

the Government of Canada's secure disposal requirements." 


The MOU divides retention into three categories: active, inactive and | 
Lost/Stolen/Fraudulent. However, the MOU also states that EDLs 
become inactive when they are reported lost or stolen. The retention 
standards for the two categories are different, | 
Active EDL information will be stored in the CBSA database for as long : 
as the EDL remains active; | 
inactive EDLs are considered inactive when they are reported lost or 

| stolen, when they are surrendered, no longer valid, cancelled or 

| when the cardholder is deceased. EDL information for inactive EDLs 
| will be stored in the CBSA database for two years following the last — 
| administrative action on the EDL information, and then removed from | 
| that system completely according to the Government of Canada's | 
| secure disposal requirements. 

- Lost/Stolen/Fraudulent EDL information that is stored in CBSA 

| databases is retained for a period of 10 years based on the CBSA | 
| — Authority — under the CBSA Program Alignment | 
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: | The MOU states that the province will “store information in the 

| : | licencing and control system, on microfilm/fiche, and in the 
appropriate audit and reconciliation or secure storage database in 
| | order to monitor EDL applications and card issuance, respond to | 
| | requests for information by authorized parties, and to CBSA and IRCC 
| with information required by US CBP and quality assurance processes. | 
_ The province will retain EDL information indefinitely to support the — | 
| EDL program and any enquiries and investigations.” 4 | 


MTM ee AAA —— P — —  /  —— ((: ——————————— E! eee —€— ——g 


| Phares of Manitoba | No timelines provided. EDL Applicant Guide states: Anforratión th that. 
| is collected about you as part of this program will be kept by | 
| Manitoba Public Insurance to maintain your EDL or EIC record for as | 
: long as your card is valid and, even if your application was denied or 

: _ your card expires or is cancelled, to prevent identity theft and 

| | fraudulent applications for Manitoba EDLs and EICs. This information 

- will be kept in accordance with the requirements of Manitoba's : 
. ? Fieedom of Information. and Protection of Privacy Act. 
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| Provin ince es —" | There is no reference to retention in the EDL Applicant Guide. 
| Col lumbia 


The Province of Manitoba provides notice to EDL/EIC applicants regarding the retention of their personal 

information once it is disclosed to the CBSA and subsequently to U.S. CBP. The EDL Applicant Guide 

states, 
“For CBSA, information for "active" EDLs and EiCs (i.e., ones that can be used to cross the United 
States border) will be stored in CBSA's EDL and EIC database for as long as the card remains 
active. If your card becomes "inactive" (for example, it is lost, stolen, cancelled, etc.), the CBSA 
will keep your information in its database for two years. If there has been no activity on the card 
over the two-year period, the information will then be removed from the EDL and EIC database 
according to the Government of Canada's secure disposal requirements." 


"If you have used your EDL or EIC to enter the United States, United States CBP will have stored 
information that was sent to it by CBSA when you crossed in its Border Crossing Information 
(BCI) system. The BCI system is subject to the retention requirements of the US government, 
which require that information on Canadian citizens (and other foreign nationals) be maintained 
by CBP for 75 years for border-screening and law enforcement purposes. Regardless of whether 
you used an EDL, an EIC or a passport to cross the border, information from the document(s) 
that you presented will be stored in the BCI and subject to the same 75 year retention 
requirement." 


EDL / EIC information is collected and used by the provinces to licence and manage the drivers who are 
resident in their provinces. The primary purpose of the licencing drivers is not to facilitate border 
crossing and, as such, the retention of the information by the provinces cannot be dictated by the 
border crossing use. In addition, as the primary collector of the information, the provinces would be 
responsible for notifying applicants regarding their intended retention period. 
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The MOUs makes destruction obligations clear, but do not specify the method of destruction. By way of 
example, the MOU with Manitoba states: "Each Participant to this Annex agrees that EDL information 
collected electronically must be destroyed in a way to make it irretrievable, not simply erased from 
databases, in accordance with their respective policies and laws." 


4.6 Other Possible Considerations 

Identify the areas, groups and individuals who access and handle the personal information: 

Within CBSA, no individual has easy access to the EDL client data. However, the Traveller Processing 
Enhancements Unit can ask for client data to be pulled from the database with director level approval. 
This would be done solely for troubleshooting if provinces have problems. 


This chart reflects the access and handling provisions for the information, after negotiation with the 
provinces. It is not the intention of the CBSA to allow any access to the information by CBSA officials until 
the provinces are in agreement with the use of the information. 


i Identify rop or Areas "m or d Positions who have access or use the Geographical Location 
| Divisions | personal information (where 
| Sppropriae) 


“CBSA Border Services Officers | Morethan1000  |LandPortsofEnty | 
| Alternative Traveller Processing | Three Nati ional Capital Region | 
ro nnn ———— eee — 
| ATIP Officers (in response to a | Less than 100 - i | National Capital Region. 
request — NEM | Eee ee  _ 
CBSA ISTB groups: — | Less than 100 - | Nati onal Capital Region 
| * Traveller Systems Division- — 2 
TSD (1&2) 
| + Data Management (DM) 
+ Consolidated Management 
| Reporting System (CMRS) 
| (Operations support) —— —— ——  ' — — 
| EDL Participating Canadian Provinces: “Less than 100 | | © British Columbia: 
: + British Columbia : - Insurance Corporation of : 
| « Minitüba | | British Columbia (ICBC) — 
* Ontario | * Manitoba: Manitoba 
e Québec | | Public Insurance (MP) 
| (Original data provided to CBSA | | * Ontario: Ministry of 
& CBSA to provide in some cases : | Transportation Ontario 
monthly reconciliation data back | - (MTO) 
| to each specific partner) | | © Québec: Société de 
»" | | - l'assurance automobile 
Leen oe LL du Québec (SAAQ) | 
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| The Document Integrity Unit (DIU) at | Lessthan 100 — Re + 
| CBSA NHQ (the “Nat. Intelligence - | | 

| Documents group"). EDL information — 

_is sent to them by appropriate | 

| partners through their generic email | 

account, ——  — 
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E Legal | Authority for Collection of Personal | Information 


| Has a legal authority been identified for the collection of personal information for this program or activity? | 


“oc recommends that section 5(1) of the Canada Border Services Agency Act be interpreted narrowly by 
| CBSA and that agreements that involve the sharing of information of Canadians with foreign states be j 
| subject to the utmost scrutiny and be supported by a detailed business case. (part of the Dec 2008 PIA, 
| page 28] 


Yes 


1.1 D Specify the legal authority and briefly explain its connection to the program or activity or how it 
permits the collection of the personal information: 


qum ea a OCLC neeem nanea nennen eneee nAAL ANARA RANNAN ARANAN i iii iiia iiia iiaa aaa aa aaa aaiae aAA AAAA Kinne ee en aes 2828 AAA RAA RANA EATEN — i. 


| 1 
| Two PIAs iótugléied in in 2008 as well as the PIB B renlsiered f for the program document, the CBSA — 
| Act as the legislative authority for the collection and use of personal information by the EDL 
| initiative. As this PIA is focused on the new use of the information by CBSA BSOs to allow 
Canadians to use the EDL as proof of their identity, it should be noted that legislative a uthority is 
derived from the IRPA, sections 4(2), 18(1) and 19(1.) as well as the Customs Act, section 11. 


| IRPA | 


lea ieee ARRAS ADA DDARAAAPAARASADAAD AAAI AAR I SIIIII III IS AAIII RSI II BAD IIRI ARR IR ARS LA AAA AAAA AAAA AAA 


4. (2) The Minister of Public Safety and Emergency Preparedness is responsible for the 
administration of this Act as it relates to 


: | . {a} examinations at ports of entry; 


(b) the enforcement of this Act, including arrest, detention and removal; 


on grounds of security, organized criminality or violating human or international rights; or 


| 

(c) the establishment of policies respecting the enforcement of this Act and inadmissibility : 
(d) declarations referred to in section 42.1. : 
À 


18 (1) Every person seeking to enter Canada must appear for an examination to determine 
whether that person has a right to enter Canada or is or may become authorized to enter 
and remain in Canada. | 


19 (1) Every Canadian citizen within the meaning of the Citizenship Act and every person 
registered as an Indian under the Indian Act has the right to enter and remain in Canada in 
accordance with this Act, and an officer shall allow the person to enter Canada if satisfied 
following an examination on their entry that the person is a citizen or registered Indian. 


i 

| | 

| | Customs Act 
| ] 
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circumstances and subject to such conditions as s may be prescribed, enter Canada onlyata __ 1 | 
| . customs office designated for that purpose that is open for business and without delay | 
| .. present himself or herself to an officer and answer truthfully any questions asked by the 
: 


officer in the performance of his or her duties under this or any other Act of Parliament. 


(2) Subsection (1) does not apply to any person who has presented himself or herself | 
outside Canada at a customs office designated for that purpose and has not subsequently - 
stopped at any other place prior to his or her arrival in Canada unless an officer requires - 
that person to present himself or herself to the officer. | ! 


8) ui to this section, aey peron in Nias of a conveyance arine in Canada shall, | 


that the | passengers aida crew are e forthwith on arrival’ in Ca anada transported: to: a es 
office referred to in subsection (1). 


(4) Subsection (3) does not apply to any person in charge of a conveyance transporting 
passengers and crew all of whom have presented themselves outside Canada at a customs 
office designated for that purpose and have not subsequently stopped at any other place 
prior to their arrival in Canada unless an officer requires that person to comply therewith. 


(5) Subsections (1) and (3) do not apply to any person who enters Canadian waters, 

including the inland waters, or the airspace over Canada while proceeding directly from one 
| |. place outside Canada to another place outside Canada unless an officer requires that person 
| |». to comply with those subsections. | 


(6) Subsection (1) does not apply to ap person who 


(a) holds an authorization issued by the Minister under subsection 11.1(1) to present : 
himself or herself in a prescribed alternative manner and who presents himself or herself in : 
the manner authorized for that person; or : 


(b) is a member of a prescribed class of persons authorized by regulations made under 
subsection 11.1(3) to present himself or herself in a prescribed alternative manner and who : | 
presents himself or herself in the manner authorized for that class. 


(7) Notwithstanding that a person holds an authorization under subsection 11.1(1) or is 
authorized under the regulations made under subsection 11.1(3), an officer may require a | 
parsan t to 9 present n himself or herself in accordance with subsection ii | 


The personal: information i is s collected a as s part of Traveller: Processing for the facilitation ofc cross 
border travel. 
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| administer the program or activity? 


| 
YES | 


The EDL Program will fulfill a need for Canadian citizens who prefer to use a commonly-held and less costly 
document in lieu of a passport for the purposes of entry into the US at a land or water border crossing. All of 
the information collected from the provinces and collected on the card at the time of border crossing is 
required for compliance to the WHTI. In fact, almost all of the information is identical to what would be 
collected if a passport was used to re-enter into Canada. 


However, there are unique identifying numbers on the RFID tag that are not associated with any publicly 
available information which are also collected. For example, while the new Canadian passport will use an RFID | 
technology, it is not the same as the RFID technology in use for the EDL. Each identifying number is mandatory | 
| for the use of the EDL in compliance with the WHTI and none of the identifying numbers (even if intercepted) 

| would reveal the identity of the card holder unless an individual also had access to the EDL database. 


None of the personal information elements collected would be considered to be more invasive than applying 
for a Canadian passport and provincial driver's licence. 


| Ensure that all personal information necessary to administer the program or activity is listed in the | 
relevant PIB. 2 


| 2.2 [X] AND, implement controls and procedures to ensure the CBSA does not collect more personal | 
information than is necessary for the identified program or activity and that a continuing need exists | 
for that information or its collection. 

| 

| 

i 

i 


. 23 Are secondary uses contemplated for the information collected? 


——————— OH 


| No, the information is being collected for immigration purposes and therefore primary to the administration 
and enforcement of IRPA. 


| Is the collection of the Social Insurance Number (SIN) necessary to administer the program or activity? 


Policy reference: Section 6.2.13 of Policy on Privacy Protection and sections 6.1.1 and 6.2 to 6.4 of 


| 
| 
Statutory reference: Section 4 of Privacy Act 
| Directive on Social Insurance Number : 
| YES 


| 3, 1 L] Collection of the SIN must be in compliance with the Directive on Social Insurance Number (please 
| | check all appropriate boxes below): 


E 2.1 EL State legal authority for collecting the SIN 
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| OR, in the absence of a legal authority to collect the SIN: 


AND, if disclosure of the SIN by the CBSA is to occur on a routine or systematic basis 

| 3.4.1 u to another federal institution that is authorized to collect it, or to another level of government, 

| establish an agreement or arrangement that includes specific provisions to limit the use of the SIN. 

| 3.4.2 to a contractor or other external service provider, establish a contract that includes specific 
provisions to limit the use of the SIN. 

3.5 | | AND, ensure that the relevant PIB for the program or activity states the authority under which the 
| SIN is collected and the purpose for which it is used. 

NO 


| 3.6 The SIN is not necessary and it will not be collected, used or disclosed to administer the program or 
activity. 


on - Notification and Consent (as appropriate) 


| Is personal information collected directly from the individual to whom it relates? 


= 
1 


| 
| Statutory reference: Sections 4 and 5 of Privacy Act 

| Policy reference: Sections 6.1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and section 6.1.2 and 
6.4.1 of Directive on Social Insurance Number - 
© YES | 
: 4.1 | | A "Privacy Notice" (adapted for either verbal or written communications) must be provided to the 
individual at the time of collection and it must include the following elements: 

| a) The purpose and authority for the collection 
b) Any uses or disclosures that are consistent with the original purpose. 
c) Any uses or disclosures that are not related to the original purpose 


d) Any legal or administrative consequences for refusing to provide the personal information 
e) That the “individual to whom the information relates" has rights of access to, correction of and 
protection of personal information under the Privacy Act. 


g) Why the SIN is collected, how it will be used and the consequence of not providing it. 


| AND, add a “Consent Statement” to the “Privacy Notice” as appropriate, if the personal information is to | 
| be used or disclosed for a purpose other than the original purpose (Secondary Use) or a consistent use, 
or, to authorize indirect collection of personal information. 


| 4.2 [| The "Consent Statement" must include the following elements: 
a) The purpose of the consent and the specific personal information involved. 
b) In the case of indirect collections, the sources that will be asked to provide the information. 
c) Uses and disclosures that are not consistent with the original purpose of the collection and for 
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- e " Any ditétnatives | to die consent - 
4.3 |_| AND, implement controls and procedures to ensure that the CBSA kee ps a record documenting | 
| whether or not an individual provided consent when it was sought, including a record documenting 
any withdrawal of consent when applicable. 


: Additional Consent Considerations (s. 77(1)(m) of the Privacy Act): | 

| | ] Standards and mechanisms are in place to ensure that the individual has ca pacity to give 

| consent. 

No 

| 4.4 The personal information necessary for the program or activity is not collected directly from the | 

- individual. it is collected indirectly, for example, from another program within the CBSA, or from | 
another institution, government or third party. 


The primary method of collection for this initiative is indirect collection of information from the three 
participating provinces in order to populate the CBSA database and the presentation of EDLs at the | 
border directly by the individual at the point crossing a POE. The EDL cardholder voluntarily presents | 
their EDL to the CBSA to verify the information already held in the CBSA database. 


$ 
i | 
i | 
i 3 


| There is limited signage at the border to provide notice to individuals regarding the collection of their - 
| personal information. There are no mandatory scripts in place for use by BSOs to provide notice. This 
issue is not specific to the EDL program. 
| 


. Indirect Collection - - Consent c or r Authority u under Sec. 10 of Pri ivacy Regulations | 


Is personal information collected indirectly from another source with the informed consent of the individual | 
to whom it relates, or from a person authorized to act on behalf of the individual pursuant to section 10 of 


| Statutory reference: Sections 4 and 5 of Privacy Act and section 10 of Privacy Regulations 
Policy reference: Sections 6.1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and sections 6.1.2 
and 6.4.1 of the Directive on Social Insurance Number 

ET 


1 
i 


"— "tanda Statement" below: 
| AND, implement controls and procedures to ensure the CBSA keeps a record documenting whether 
or not an individual provided consent when it was sought, including a record documenting any 
withdrawal of consent when applicable. 
`<] AND, if information is being collected from persons authorized to act on behalf of minors, | 
incompetents or individuals who have been deceased for less than 20 years, implement appropriate 
mechanisms to ensure that such persons are authorized to act on behalf of individuals who do not 
have the capacity to provide consent, 
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| was vise upon eat : in vhi] process that su ai privacy notice aub bie ented to EDL : 

| applicants at the point of application. As there is no legislative obligation for the CBSA to provide notice, 

- and the provinces are not subject to the federal Directive on Privacy Practices, any assessment of the 
notice provided is anecdotal. The provincial applicant guides, containing the Consent Forms each has 
developed, are included in the Supplementary Documents submitted with this PIA 


à 6. Indirect Collection - Without Notification add Consent 

Sine eames — cuiu d Rc cR LOS une prae SE T NR 
is personal in ioi collected from another source without notice to or consent Fonti the individual to 

| whom the information relates? 


No, while personal information is collected indirectly, there is notice provided at the point of collection 
and all provi nces Tequest direct consent for the disclosure of information to the CBSA. 


7. Re etention and Disposal of Personal Information | 
‘cca ARR as ca lags a ac aE —Á————— Áo oui LU RN RUNDE. 
j 
| Has Library and Archives Canada approved a records retention and disposal schedule that applies to the 
| personal information? 
Statutory reference: Section 12 of Library and Archives Canada Act, sections 6, 10 and 11 of Privacy Act and 
section 4 of Privacy Regulations 
Policy reference: Sections 6.1.3, 6.2.11 to 6.2.13 and 6.2.23 of Directive on Privacy Practices 
^X] Please identify the Record Disposition Authority (RDA) and describe the retention and disposal 
SC hed ule: 
| | Detail ils: The CBSA particu "i cular Persorial Information Bank Enhanced Driver's S Um icence e (EDL) / | 
| Enhanced identification Card (EIC) Program fits within the framework of the CBSA Disposition | 
_ Authority (DA) of 2015/008 issued by Library and Archives Canada in March 2015 (L&A File # 
| | 6240-50/C126-2015/008). 
| | The corresponding retention period published in the PIB states, “EDLs/EICs are retained by CBSA 
| as long they are deemed to be active by the province or territory that issued them. When an 
| | EDL/EIC is deemed to be inactive (expired, lost, stolen, surrendered, no longer valid, cancelled, | 
| fraudulently obtained, holder deceased) by the province or territory that issued it, the province - 
| | or territory notifies the Canada Border Services Agency (CBSA). The Canada Border Services | | 
| Agency (CBSA) retains EDL/EIC records for two (2) years following the last administrative action | 
| | (i.e. CBSA is advised that the card is no longer active for border-crossing purposes). The 
| : information is then destroyed according to the Government of Canada's secure disposal 
| requirements.” | 
| X] AND, implement controls and procedures to ensure e that personal infütmation used & to o make à a | 
decision that directly affects an individual will be retained for a minimum of two years after the last 
u administrative action or, where a request for access to the information has been received, until such 


time as the individual has had the opportunity t to exercise c all his/her rights t under the Act. 
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| The MOU between the provinces and the CBSA divides retention into three categories: active, inactive and 
| Lost/Stolen/Fraudulent. However, the MOU also states that EDLs become inactive when they are reported 
lost or stolen. The retention standards for the two categories are different. | 
: | Active EDL information will be stored in the CBSA database for as long as the EDL remains active; 
| Inactive EDLs are considered inactive when they are reported lost or stolen, when they are surrendered, no 
| longer valid, cancelled or when the cardholder is deceased. In accordance with the MOUs with the provinces, 
| an agreement has been established between CBSA and the document issuing authorities that EDL information 
retention will be limited to two years following the last administrative action on the EDL information. Once 
| the two year time frame has elapsed, the information will be completely removed from the system according 
| to the Government of Canada's secure disposal requirements. 


: Lost/Stolen/Fraudulent Under standard practices and procedures within the CBSA, EDL information, fora 
| document reported as lost/stolen/fraudulent (LSFD), is stored in CBSA database(s) and is retained for a period : 
of 10 years based on the CBSA Disposition Authority 2015/008 under the CBSA Program Alignment | 
Architecture (PAA) Section 1.1 (Intelligence). | 
In addition to the CBSA publishing the retention standard, the standard is addressed in the Memoranda of 
Understanding with each of the issuing provinces. For example, the MOU with the Government of Ontario | 
states that EDLs are deemed inactive when they are expired, fraudulently obtained, reported lost or stolen, 
surrendered, no longer valid, cancelled or when the EDL holder is deceased. EDL Information for inactive EDLs 

| will be stored in the CBSA database for two years following the last administrative action on the EDL 
information, and then removed from the system completely according to the Government of Canada's secure 
PN : disposal requirements. 


information that is collected about you as part of this program will be kept by Manitoba Public Insurance to 
maintain your EDL/EIC record for as long as your card is valid and, even if your application was denied or your 
card expires or is cancelled, to prevent identity theft and fraudulent applications for Manitoba EDLs and EICs. 
The information will be kept in accordance with the requirements of Manitoba’s Freedom of Information and 
Protection of Privacy Act and Manitoba's Archives and Recordkeeping Act. 
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British Columbia 

The information that's disclosed to CBSA is protected under provisions of the federal Privacy Act. Your EDL 
application information is sent to CBSA after you activate your card or if your card is reported lost, stolen, 
cancelled or changed. CBSA will store your information in a secure database in Canada and disclose it to the : 
U.S. Customs and Border Protection when you present your EDL card at the U.S. border. The CBSA will use the | 
information for border crossing purposes when you present your EDL/EIC when entering Canada. The CBSA | 
will also retain information about lost, stolen or otherwise invalid EDLs. CBSA will share this information with | 
other agencies only as authorized by law. 


| Ontario 
| There are no references to retention in the Ontario Applicant Guide. 


| 7.3 - AND, if the CBSA ntenas to dh of a information that has been used a an admin A 
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before dogs SO. 


| 74 Dd AND, the CBSA must cite the RDA number, the retention period and the disposition standards for the 
| personal information in the relevant PIB. 


NO 

[ 7.5 |_| Provide a Records Disposition Submission to Library and Archives Canada describing the records 
| containing the personal information for which the institution requires a RDA. 

7.6 | | AND, obtain a RDA from Library and Archives Canada to allow the CBSA, under certain conditions, to | 
dispose of records that no longer have operational utility for the program or activity. 
7.7 [|_| AND, ensure that all the other applicabie requirements listed under "YES" at Question 7 are met. 


_ Will measures be adopted to ensure that personal information used by the CBSA for an administrative 
: purpose is as accurate, up-to-date and complete as possible? 


: 

Statutory reference: Sections 6, 10 and 11 of Privacy Act and sections 10 and 11 of Privacy Regulations 
Policy reference: Sections 6.1.1 and 6.2.9 to 6.2.16 of Directive on Privacy Practices 

YES | 

1 X Please check any of the following measures that will be adopted to ensure accuracy of the personal | 
information and provide details as requested: 


8.1.1 | | Personal information will be collected directly from the individual to whom it relates or it will be 
validated with the individual or a person authorized to act on behalf of the individual. 
8.1.2 A data-matching process will be used to verify the accuracy of personal information against a 
"reliable source" (within or outside the CBSA) where this is authorized, or where consent was | 
obtained. | 
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| Detai is: Once an individual uses the EDL / EIC as identification for cross border travel, the 
| details on the card will be verified by the CBSA BSO and/or U.S. CBP. The information on the | 
- | card is reviewed for accuracy With the cardholder, verifving the information against the | 
| information held in the database. If any information appears to be inconsistent, the | 
a traveller may be referred for add itional processing to clarify or resolve the inconsistency. | 
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8.1.3 | In cases where direct collection or consent is not feasible, the CBSA will obtain information from 
ptm sources (public or private) and verify accuracy against existing personal information 
pee use. 


| Details: When personal information i is received from the provinces. the information will be 
| | confirmed via automated methods for format accuracy, omissions and discrepancies. This 
| | information is received through indirect collection and will not be used to make an 
| | administrative decision that directly affects the individual, until the card holder presents 
| 
E 


_ their ID at a land/water POE and the information is verified. 


i 
i 
CHIESE PR ed 3 


8.1.4 [Xx] Techno! ogi ical methods will be m" to identify e errors sand discrepancies. 
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| Details: ‘The technology solution incorporates à an n immediate reconciliation wen the data | 
string is received. The reconciliation does not confirm the content of the data string but 
confirms that CBSA has received the data string that was sent. The province is responsible 

| for ensuring that they receive the appropriate responses back from CBSA. 


| A reconciliation report will be generated for the provinces for their reconciliation and 
| management of EDL data. In addition, the CBSA, at the request of a province may createa 
data integrity report, containing that provinces’ EDL information and provide it to the - 
province for the purposes of verifying the integrity of the EDL information in CBSA’s EDL 
| database. CBSA cannot manipulate EDL data and provinces are responsible for all updates 
P (to the EDL records. - 
1 


REPE 


| 8 2 |] AND, fn measures are adopted other than: "direct collection o or r validation with the individual or with a 
| person authorized to act on behalf of the individual", the CBSA must implement appropriate controls 
and procedures to ensure that: 

a) the technique(s) and the specific source(s) used to validate or update the personal information 
are documented; 

b) individuals are given the opportunity, whenever possible, to request correction of any inaccurate 
personal information before the information is used in a decision-making process that affects 
them; 

c) personal information can only be modified or corrected by those within the CBSA who have the 

- authority to do so; 

«] d) when personal information is corrected or annotated, the record of personal information 
indicates the date of the last correction or annotation and the source of the information used to 
make the correction or annotation; and 

d) when personal information is corrected or annotated, other authorized holders of the 


information are notified about the correction or annotation and that all copies of the information | 


in the possession of the CBSA are corrected / annotated. 


| AND, if appropriate, ensure that the "Privacy Notice" or "Consent Statement" and the relevant PIB 
are amended to identify the data-matching activity including the source(s). 
NO 


"D 


LEEREN 


Use of the EDL information is governed by four facets: CBSA's legislative authority to collect and use the 

| personal information; the MOU between the CBSA and each of the participating provinces and, importantly, 
| by the notice provided to the applicant at the point when they applied for the EDL and via the particular PIB 
| registered by the CBSA and published in Info Source. 


| 
NONEM s desc RE i Hu s ili fM 

n 8, TM Ise of Personal Information. | | 

| 


i 
i 
i 
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geom wil i be limited to authorized à individuals who pne to X know the information to y gerfon their | 
official duties. (Identify the work positions within the program or activity that have a valid reason to 
access and handle the personal information, and limit access to individuals occupying those 
positions.] 


| AND, ensure that the “Data Flow Diagram" or "Data Flow Tables" completed for "Section 4 — Flow of 

Personal Information" of the CBSA PIA identify the areas, groups and individuals (e.g., the positions) 
: within the CBSA who have a need-to-know to access to or handle the personal information, including | 
| their geographical location and where the personal information will be stored or retained. (See | 
Section IV of Appendix "C" of Directive on Privacy Impact Assessment for a list of elements that must - 
be included in the data flow diagram or data flow tables.) | 
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| AND, if the purposes for which the personal information is used includes any use(s) of the | 
information for a non-administrative purpose, (such as research, statistical, audit and evaluation | 
purposes) the CBSA will adhere to the requirements and principles in the CBSA Privacy Protocol For | 
Non-Administrative Purposes (2012), in accordance with section 6.2.15 of the Policy on Privacy 
Protection, to address any impact that such non-administrative uses may have on privacy. | 


94 [ | identify below any other uses of the personal information, in other words, any routine uses that are 
not directly related to the purpose of the collection, or, which are not consistent with that purpose | 
or for which the information was disclosed to the CBSA pursuant to subsection 8(2) of the Privacy 
Act: 


23 [35 AND, ensure that these other: uses are reflected i in the relevant PIB. (in accordance with subsection 
9(1) of the Privacy Act, if these other uses are not described in the PIB in CBSA info Source, the CBSA 

is required to record each use on the individual's file. Describing them in the PIB is, therefore, a far 
more efficient practice — see Question 11.) 


: 
j 


| , include a description of these other uses in the "Privacy Notice" or "Consent Statement", as 
dires] ; 
|_| AND, ensure the all the other applicable requirements listed under "YES" at Question 9 are met. | 


“10, Disclosures Directly Related to the e Administration of the Program c or r Activity 
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| Will personal information be disclosed for purposes directly related to the administration of the program or 
| activity? (This includes, for example, disclosures to other programs within the CBSA, other federal 
| institutions, other governments, international organizations, private sector organizations or individuais.) 


d | 
d 
H 
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YES 
| 10.1 [] Please check all applicable boxes below and, for each disclosure, identify the name of the 
organization or third party to which personal information will be disclosed. if it is disclosed within 
the CBSA, please identify the branch and the program or activity. 
10.1.1] Within the CBSA for another program or activity - 


j ete MEM M BA SR RR ————— peaks 


: Detail : Enforcement p In telligence within thea context of Lost/Stolen/Fraudulently issued. 
- | | Documen ts 
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| -i | Detail: - | 


10.2 [X | AND, « ensure that: 

a) any such disclosure is made in compliance with section 8 of the Privacy Act, which allows 
disclosures of personal information with consent of the individual to whom the information 
relates (subsection 8(1)) or without consent in certain and limited circumstances pursuant to 
subsection 8(2) of the Act; 

b) only personal information elements that are necessary for the intended purpose are disclosed; 

c) the organization or third party receiving the personal information is authorized to do so; 


d) administrative, physical and technical safeguards appropriate to the sensitivity of the information - 
will be applied to protect the information during and after its transmission (see Question 15): : 

e) the organization or third party to which the personal information will be disclosed for the 
administration of the program or activity are identified in the “Consistent Use” section in the 
relevant PIB in CBSA info Source, including the specific purpose of the disclosure; 
the “Privacy Notice” or “Consent Statement” describes any disclosures of information; (Fora | 
copy of the CBSA Privacy Notice and Consent Statement template, contact the ATI and Privacy | 
Division) and, | 

f) the "Data Flow Diagram" or "Data Flow Tables" completed in "Section 4 — Flow of Personal 
Information" of the CBSA PIA include details on the disclosed personal information: (See Section 

: IV of Appendix "C" of Directive on Privacy Impact Assessment for a list of elements that must be 

mM : included in the data flow diagram or data flow tables.) 
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| 410.3% EI AND, any disclosure of personal information to another federal institution or outside the 
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vets, à an dile. a contract arrangement: uias to ensure “that appropriate p privacy 
protection clauses are included, and, where applicable, include provisions for inter-jurisdictional or 
transborder flows of personal information. Such clauses must cover the following topics: 


a) Control over personal information, where appropriate, 

b) Limitations on the collection, retention, use and disclosure of personal information. | 

c) Measures (administrative, technical and physical) to protect the integrity and confidentiality of | 
personal information. 

d) Measures governing the disposition of the personal information, where relevant 

ej Measures to ensure or Mida that the binden information is only used for the purposes related 


" Will controls and procedures be implemented to account for any new use or disclosure of the personal 

| | information that is not included in the relevant PIB published in CBSA Info Source? 

| YES 

E 1 Appropriate controls and procedures have been or will be implemented to ensure that: | 

a) the head of the institution (The ATI and Privacy Director) or the appropriate delegate is notified | 

| about any new use or disclosure of personal information that is not reflected in the PIB | 

| description published in CBSA Info Source; 

b) the consent of the individual to whom the information relates is obtained in writing, as 

: appropriate, prior to any new use of the information for an administrative purpose that is not 
reflected in the relevant PIB published in CBSA Info Source, unless the new use is considered to 
be consistent with the purpose for which the personal information was obtained or compiled and 
the Privacy Commissioner is notified, by the CBSA ATI and Privacy Director, forthwith regarding : 
the new consistent use; 
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c) except as permitted under subsection 8(2) of the Privacy Act, any disclosure of personal 
information for a purpose that is not reflected in the relevant PIB published in CBSA Info Source 
will only be made with the consent of the individual to whom the information relates; 

d) arecord is kept for any new use or disclosure of personal information not described in the 

| relevant PIB published in CBSA Info Source, and that this record is stored with the personal 

| information to which it relates and retained for a minimum period of two years following sucha | 

use or disclosure; (The record of use or disclosure should include the name and title of the person : 

: authorizing the use or disclosure; the name of the institution, person, organization or body | 

| receiving the information; a description of the use or purpose of disclosure; a copy of the 

| information disclosed, or a description in sufficient detail to allow a determination of exactly what 
information was used or disclosed.) 

e) ifthe information is disclosed to a federal investigative body under paragraph 8(2 Me) of the | 
dici Act, the record of distlasure will be kept in a separate PIB for a period of two years where | 

mmissioner for review upon request; (e.g., Standard PIB — — 
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i 
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Ÿ 
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"Disclosure to Investigative Bodies” PSE 913 ‘= 
f) the Privacy Commissioner is notified, by the CBSA ATI and Privacy Director, forthwith, as required 
under subsection 9(4) of the Act, of any new use or disclosure that is consistent with the purpose 
for ee the : morman ion was obtained or complied, but which is not reflected in the relevant 


g) te — PIB is —— in time for the next edition of CBSA Info Source to include any new 
use(s) or disclosure(s) that are consistent with the purpose for which the information was 
obtained or compiled, as well as any routine use(s) or disclosure(s) that do not fall within the 
categories of purpose of collection or consistent use (e.g., these would include disclosures of the 
information under subsection 8(2) of the Act that take place on a regular basis. By including 
these routine uses or disclosures in the PIB, the CBSA would be relieved from the obligation to 
record each use or disclosure on the individual's file); and 


h) the Privacy Commissioner is notified, by the ATI and Privacy Director, prior to or forthwith, as 
required under subsection 8(5) of the Act, about any disclosures made or to be made in the 
public interest or in the interest of the individual to whom the information relates. — 


n EE 
—— ————————PPRPRRA 
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| - Detail : (This information is mandatory) | 
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_ the personal information to be collected and retained for the program or activity? (Input to this section 
| should be coordinated with and reviewed by the CBSA — IT - Security Directorate) 


| Has a Statement of Sensitivity (SoS) or similar analysis been completed to assess the degree of sensitivity of 
| 
| 
1 


Statutory reference: Sections 7 and 8 DE Privacy Act. 


YES 
12.1| ] The information contained in the SoS or similar analysis has been taken into account when assessing 
the level of risks to privacy in "Section 2 - Risk Area Identification and Categorization" of the CBSA | 
PIA. | 
| 
: 


NO 


|42:2 x Please explain why a SoS or similar analysis was not considered necessary to assess the sensitivity of 
- the information. 


| Detail: T fie 2015 Statement of Sensitivity “Traveller Admissibility Determination Support 
Service” is considered sufficiently broad as to include the expansion of the EDL program to 
allow CBSA B5O'sa access sto the EDL database. 
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| Has a Threat and Risk Assessment (TRA) or a similar security assessment been completed for the program or 
activity? (Input to this section must be coordinated with and reviewed by CBSA — IT - Security Directorate) 


: YES 
| 13.1[X] Reference the title of the TRA or other security assessment in "Section 7 ~ Supplementary 
Dacuments List" and provide a brief synopsis of the assessment in the space below: 
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Detail: CBSA IT Seciirity IT Security impacted the components of the release to integrate RFID 
_ readers into conventional passage lanes at POEs via a Consultation Report. On all elements, the 
: | view across all risks being evaluated was LOW. A TRA for the RFID Processor to allow the CBSA 

to read additional RFID-enabled documents including the Canadian EDLs is in progress. At this 
: | time, the completion date is unknown. | 
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: | 13. 2 ie! AND, obtain assurances from the officials responsible for thep program or r activity that thet measures 
| recommended in the assessment have been implemented to ensure the confidentiality, availability 
and integrity of the personal information. 


| AND, ensure that any residual risks to personal information are known and accepted by the 
executive or senior official responsible for the program or activity and the Head or delegated 
authority for the Privacy Act. (ATI and Privacy Director) 


a 4 | | If a FRA or similar security assessment is underway, simply reference that fact in the space below and | 
indicate when it is likely to be com pleted. if there is no intent to complete o one, e, please explain | 
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Detail : ( This formation is mandatory) - 


"E NO | 
| 
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| 

P Please identify below any administrative, physical and technical safeguards in place, or to be implemented, 

| for this program or activity to ensure the confidentiality, availability and integrity of the personal 

| information. (Safeguards must be commensurate with the sensitivity of the information, the risks identified, 

| and the nature of the media in which the information is stored, handled and transmitted. This section must be 
completed with input from CBSA — IT - Security Directorate) 


| 
| Statutory reference: Sections 7 and 8 of Privacy Act 
| Policy reference: Appendix C of Directive on Privacy Impact. ssment and sections 6.2.17 to 6.2.21 of 
Directive on Privacy Practices, Policy on Government Security, Operational Security Standard: Management o 
: form: | y Security (MITS] 

| Please cheek ali that apply, including safeguards identified by the TRA or similar security assessment. 


Policy reference: Appendix C of Directive on Privacy Impact Asse 
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14.1 Administrative safeguards 
Internal security and privacy policies and procedures 
x] Staff training o on n privacy and the e protection of f personal information" 
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[X] Screening a and security checks ofe employees - mE 
X] Appropriate security levels for employees who will have access to personal information 


X] Contingency plans and documented procedures in place to identify and respond to security and 
privacy breaches, and to communicate security violations to the data subject, law enforcement 
authorities and relevant program managers 


Regular monitoring of users' security practices 


Methods to ensure that only authorized personnel who need to know have access to personal 
information | 


[X] Restricted access areas 

X| Security guards 

X] Identification badges are worn by staff at all times 
| After hours alarms and monitoring systems 


Locked filing cabinets 
i" Combination locks 


|_| Safes | 
|] 


[ à Cipher locks 
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j Key cards 

| | Video surveillance (closed-circuit television) 
| Secured server locations 

| Backups secured off-site 

Other 
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| Role-based user — and authentication 
| Biometrics 
| Passwords (minimum of 6 characters long, include alpha and numeric characters) 


i 


Passwords are changed by users every 90 days and recently used passwords cannot be re-used} 
| Password protected screensavers | 


LX] Session-time out security (automatically locks an account after a session has been idle for a | 
specified amount of time) 
xX} Firewalls 


DXX Intrusion Detection System (IDS) 
[ ] Virtual Private Network (VPN) 
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X] Government of Canada ia Public key Infrastructure Certificates (PKI) 
External Certificate Authority (CA) 


15. Technology and Privacy - Tracking Technologies | 


| Will the information system(s) used to deliver the program or activity employ cookies or other tracking 
| technologies to collect personal information about users and their transactions? (input to this section should 
| be coordinated with and reviewed by the CBSA — IT - Security Directorate) 


Statutory reference: Sections 4 to 10 of the Privacy Act and section 4 of Privacy Regulations 
Policy reference: Subsections 6.1.1, 6.1.3, 6.1.9, 6.2.9 to 6.2.13, 6.2.17 and 6.2.23 of Directive on Privacy 
Practices 


SE RAA RAR ee 


YES 
15.1| | The specific tracking technologies to be used is adequately described under Part 6: Technology and 
Privacy of "Section 2 — Risk Area Identification and Categorization" of the CBSA PIA 
15.2| ] AND, the collection of any personal information using such technologies is reflected in the relevant 
PIB and in "Section 3 — Analysis of Personal information Elements" of the CBSA PIA; 
15.3| | AND, the use of such technologies to collect information about users and their transactions is 
adequately reflected in the "Privacy Notice"; 


information or who may have access to personal information collected through these methods are 


i 
| 
| 15.4[ | AND, those responsible for implementing and using tracking technologies to collect personal | 
made aware of privacy and security policy requirements; 
- 
1 


| AND, where personal information collected through such tracking technologies is used to make a 
decision that directly affects the individual to whom the information relates, it will be retained for a 
minimum of two years after the last administrative action as required under the Privacy Regulations. 


15.5. 


- NO 
| 15.6 X] Tracking technologies are not used to collect personal information about users. 


| 16. Technology and Privacy - Surveillance o or r Monitoring - 


= | Will the new or Miis Do program or ird dd resuit in new or Increased surveliance or dd of a 
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| Security Directorate) | 


Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of the 
Charter of Rights and Freedoms 


Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices ; 


16. 1| ] Consult with your legal advisors to determine whether or not such surveillance or monitoring 


activities raise any issues relating to the Charter of Rights and Freedoms, the Privacy Act or other - 
applicable acts. ; 


| 16.2 | | And, ensure the surveillance or monitoring method(s) to be used, the characteristic(s) of the 


Press, 


À Radio Frequency Identification (RFID) chip is embedded into the card. The chip, which is not visible, 


targeted population and the scope of the surveillance or monitoring are adequately described under 
Part 6: Technology and Privacy of "Section 2 — Risk Area identification and Categorization” of the | 
CBSA PIA. | 


16.3 AND, any personal information collected or created as a result of such surveillance or monitoring is 


n described in the relevant PIB and in Section 3 — Analysis of Personal Information Elements” of the 
CBSA PIA. | 

i 
AND, the collection or use of personal information through surveillance or monitoring is adequately 
reflected in the "Privacy Notice", unless such notification might result in the collection of inaccurate | 
information or defeat the purpose or prejudice the use for which the personal information is 
collected. 
Lj ü notice about s survei eillance c or r monitoring will not be provided | 


who: may have access s to pros our information callected or aes ; through t dise methods à are M | 
aware of privacy and security policy requirements. 


NO 


16.6 = The new or modified program or activity will not result in surveillance or monitoring. 


| While the CBSA will not use the RFID technology for surveillance or monitoring, EDL applicants are informed 
| about the risks of RFID in the Applicant Guides. 


Ontario's EDL Applicant's Guide states, 


contains a unique identification number only and does not contain any personal information. At the U.S. 
port of entry, an RFID reader will retrieve this reference number and transmit it to the U.S. Customs and 
Border Protection network, when the traveller attempts to enter into the U.S. Data encryption, secure 
networks and firewalls protect the information while it is being transmitted. U.S. Customs and Border 
Protection (CBP) uses the reference number to query the Ontario EDL records securely stored in Canada by : 
the Canada Border Services Agency (CBSA). CBSA retrieves the record and securely sends the information to : 
CBP to Find determine the holder's oe and Botentel MM into the United States. - 
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only remove it when you are using it at U.S. or Canadian ports of entry or if asked by any police officer to 
show your driver's licence. 


Manitoba's EDL Applicant Guide states, 


automatically identify objects. There are several methods of identification, but the most common is to store | 
a number that identifies an object on a microchip that is attached to an antenna (the chip and the antenna | 
together are called an RFID transponder or an RFID tag). The antenna enables the chip to transmit the 
identification number to a scanner when it is polled. The scanner converts the radio waves reflected back 
from the RFID tag into digital information that can then be passed on to computers that can make use of it. 


Radio frequency identification, or RFID, is a generic term for technologies that use radio waves to | 
| 
1 
j 


ERE 


Each Manitoba EDL or EIC has a RFID chip embedded in it to help speed up processing when you arrive at 
United States border crossings with RFID scanners. As you approach the border at a land or water port of 
entry into the United States, an RFID scanner will read your unique identifier number in your card's RFID 
chip (called the RFID Tag Value) at a maximum distance of 4.5 metres. The United States border agent can 
then use your unique identifier number to quickly retrieve the personal information about you stored in a 
secure database that he or she needs in order to verify your identity and citizenship and to help determine 
whether or not you will be allowed to enter the United States 


$ 
t 
i 


it is important to note that the RFID chip contains one piece of personal information — the RFID Tag Value 
that points to your EDL or EIC record. EDL and EIC records for all provinces issuing the cards are kept in a : 
secure database located in Canada and maintained by the Canada Border Services Agency (CBSA). To deter | 
and detect fraudulent EDLs and ElCs, your RFID chip is engraved with a Tag Identifier (TID) that uniquely 
identifies each RFID chip and prevents cloning. Your EDL or EIC card is manufactured utilizing multiple layers 
of the highest quality plastics making it counterfeit resistant. It will also withstand ultraviolet (UV) raysand  : 
will not fade with age. 


——————————— — eee RA 


If there are no RFID scanners at the border crossing where you are entering the United States, the border 
| agentcan swipe the MRZ on the back of your EDL or EIC to access your unique Encoded Document Number. 
| YourEncoded Document Number performs the same function as the RFID Tag Value — allowing the border | 
agent to quickly access personal information about you from your EDL or EIC record in the CBSA's secure, 
| Canadian database — but the actual numbers of the RFID Tag Value and Encoded Document Number are 
| different for added security. Your EDL or EIC will come with a protective sleeve to help prevent tracking of 
| your movements by an unintended RFID scanner. It is essential for your privacy protection that you keep 


card without your knowledge. 
However, if your RFID chip is read by an unintended scanner, the scanner would be able to retrieve the RFID 
Tag Value only; that number could not be used to access your personal information stored on the secure 
CBSA database. 
Your personal information is safely transmitted from the secure CBSA database through a secure encrypted 
| network connection to the United States Border Crossing Information (BCI) system. Manitoba EDLs and EICs | 
are also mailed in a protective envelope to prevent any possibility of the RFID chip being read during | 
delivery to the cardholder. It is important that your protective sleeve is not torn or otherwise damaged as it 
could potentially allow reading of the card by an unintended scanner. If the protective sleeve becomes 
damaged, immediately obtain a replacement sleeve free of charge from an Autopac agent or any Manitoba 
Public Insurance Service Centre. | 
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British Columbia's EDL Applicant Guide states, 
Radio po ene anon Chip: 


unique | identifier ue de a e ID namber. 

Unique identifier number: 

RFID readers are located at select U.S. border entry locations. The RFID reader will read the unique identifier 
number, which will be used by U.S. customs to access limited personal information that's stored in a secure 
database located in Canada and maintained by the Canada Border Services Agency. 


REPRE. 


Your information will then appear on the U.S. customs officer's screen as you approach the booth. If there 
are no RFID readers at the border crossing, the optical character recognition (OCR) unique identifier number - 
on the back of your EDL will call up the same information from the same Canadian database when you | 
| present your EDL card to the U.S. customs officer at the booth. 


Tag ID number: 

The tag ID number is embedded in the RFID chip by the chip manufacturer making it very difficult, if not : 
impossible, to clone a copy of your card. Neither of these numbers are your driver's licence number and 
there is no other information on the RFID chip. 
Protecting your EDL: 


your unique identifier numbers from a short distance, without your knowledge. Even if your unique 

identifiers are read, your personal information is safe from unauthorized access as it's protected in a secure 
CBSA database. The numbers on the RFID don’t relate to any other personal identifiers such as your driver's 
licence number and can't be used to impersonate you. 


There are some situations in which a person with access to RFID-reading technology may be able to read 


For added security, ICBC provides a protective sleeve for your EDL to prevent the RFID chip from being read 
when you're not using it to cross the border. You'll receive the protective sleeve in the mail with your card. 
For your protection keep your EDL in the sleeve when it's not being used and replace it if it becomes torn or 
crumpled. Replacement sleeves are available at ICBC driver licensing offices without charge for EDL 

- cardholders. 


E ———AÀ eene ——————————AAAAAA—— HÀ —————————————ÓÁá' n ———R— M——— 
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| Dows the program or activity involve compliance/regulatory investigation or law enforcement, surveillance 
or intelligence gathering that targets specific individuals against whom penalties, criminal charges or 
| sanctions may be applicable? 


Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of the 
Charter of Rights and Freedoms 
n Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices 
| YES 

Eu 1x x Consult with your legal advisors to determine whether or not the compliance/regulatory 
| investigation or law enforcement activities raise any issues relating to the Charter of Rights and 
Freedoms, the Privacy Act or other applicable acts. 


RR nee ee ee RAA DR RER RP RSS SSII TS TT TE EE 


EZ 2 [X] AND, identi ify the legislative authority and the specific regulatory or law enforcement purpose 
vane 


ann A SSSR ERES ERES EE ee tte e S: 
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E à import Permits Ait, ihe Controlled Drugs and Substances Act a DPA a and the proceeds oF || 

| Crime (Money Laundering) & Terrorist Financing Act for the purposes of obtaining information | | 

| on persons who are suspected of border related illegal activities, including contraband 
 smuggling and immigration violations. 


17.3 xX] AND, if the legislative authority differs from the | legal authori ity for the program or activi tye ensure it 
is adequately reflected in the response to Question 1 of "Section 5 — Privacy Compliance Analysis" 
: and in "Section 1 — Overview and PIA initiation “of the CBSA PIA. | 
| 17.4 AND, any personal information collected or created as a result of such regulatory or criminal 
| enforcement, surveillance or intelligence gathering program or activity is described in the relevant 
- PIB and in "Section 3 — Analysis of Personal information Elements" of the CBSA PIA. | 
| 17.5| | AND, the collection or use of personal information through these compliance / regulatory | 
| investigation or enforcement activities is adequately reflected in the "Privacy Notice", unless such 
notification might result in the collection of inaccurate information or defeat the purpose, or | 
prejudice the use, for which the personal information is collected. | 
| a If notice about the compliance/regulatory investigation or law enforcement activities will not be : 
/ provided. : 


HORUM Rama tte oh are CN RO COO BAR A a AA PI BÍ II It t AA PAPAE meme 


| | Details: This is is an n indirect collection of information; | no notice is required by law however 
| | two of the provinces already notify individuals that the information could be used for the 
| i 


H 


enforcement of IRPA. | 
| 17.6| | The program or activity does not involve the conduct of regulatory or criminal enforcement, | 
| surveillance or intelligence gathering. | 
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1) The Notice provided by the Provinces will need to be Updated — Currently, the notice provided by 
Ontario and British Columbia informs applicants that the CBSA may use the information for the 
administration and enforcement of the Immigration and Refugee Protection Act. It is unclear how 
that would apply to Canadian citizens and the provinces should consider updating their notice 
provisions to the simple language from the MOU: CBSA will use the information for border crossing 
purposes. Manitoba does not inform applicants of the current proposed use. If it is determined 
that the administration and enforcement of IRPA is sufficient notice for applicants, then the CBSA 
would be permitted to use the EDL information for Ontario and BC card holders only. Manitoba 
does not provide notice of that use of the information and is clear in communicating the permissible 
uses. While the option of "consistent use" has been considered, it is likely that the use of the 
information would be considered a secondary use and, as such, would require the consent of 
current Manitoba cardholders. ifit is determined that the administration and enforcement of the 
immigration and Refugee Protection Act cannot be applied to Canadian citizens crossing the border, 
then the use of all information related to current card holders would be considered a secondary use 
and, as such, would require the consent of ali current card holders. 


Mitigation Measure — The CBSA is using this information for immigration purposes, which is a 
primary use under IRPA. Ontario and Manitoba have advised the CBSA that notifications have been 
drafted to send to existing cardholders to reflect the expanded use of the data by the CBSA. The 

gem. CBSA has strongly encouraged British Columbia to issue a similar notice. At the time of this PIA, 
those notices are still being drafted. 


2) The MOUs with the Provinces should be updated — The MOUs as originally drafted with the 
provinces did not contemplate the CBSA using the EDL information for border crossing purposes. 


Mitigation Measure — The MOUs with each of the provinces have been amended to ensure the 
language for permissible uses is inclusive of the CBSA's accessing of the data held on behalf of the 
provinces. 


3) The Personal Information Bank needs to be updated: Suggested revisions to the Personal 
Information Bank are included as part of this PIA. 


Mitigation Measure — In summary, the description was updated to reflect a description of the 
personal information, not the program. Elements of personal information collected were updated 
to be comprehensive. The Purpose in the PIB was updated to reflect a new use of the information by 
the CBSA BSOs. The legal authorities were updated to include references to IRPA. Availability of the 
information for query by the U.S. was removed from consistent uses, as this had been the primary 
use for the collection. 


4) There is no demonstrated notice provided at the border by BSOs — There are no Privacy Notice 
scripts provided to BSOs for use at land / water POEs. 


Mitigation Measure — the provision of notice when a BSO collects border crossing documents 
(Passport, Birth Certificate or EDL) and notes the border crossing details should be considered for 
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implementation by the CBSA. This risk and mitigation measure, however, is not limited to the EDL 
initiative. 


document for entry could trigger an inadvertent collection of EDL data by not having the EDL in its 
sieeve. 


Mitigation Measure — to address this scenario, the BSO has the ability to "flush" the travel 
document in the course of processing the traveller. The passage history would not reflect the EDL. 


6) No TRA has been completed for the RFID Processor, which will aliow the CBSA to read RFID- 
associated with reading RFID-enabled documents has not yet been completed. 


Mitigation Measure — to address this, the CBSA is in the process of completing a TRA. The 
completion date is not yet known; however, the process has been started. 


7) The installation of the RFID readers, including the construction of the required infrastructure, has 
begun — given the lack of a TRA supporting the usage of RFID technology, the risk to personal 
information has not yet been assessed. 


Mitigation Measure - to address this, the CBSA is in the process of completing a TRA. The 
completion date is not yet known; however, the process has been started. 


SECTION 7- S pp DOCUN 


Privacy Impact Assessment of the Enhanced Driver's Licence (EDL) Program, January 2008 
Enhanced Driver's Licence and Enhanced Identification Card Program Privacy impact Assessment 
Update, December 2008 . 
Ontario Enhanced Driver's Licence Applicant Guide 
Manitoba Enhanced Driver's Licence Applicant Guide 
British Columbia Enhanced Driver's Licence Applicant Guide 
Memorandum of Understanding Respecting the development and implementation of Ontario's 
Enhanced Driver's Licence and Enhanced Photo Card Program between the Government of 
Canada and Province of Ontario 
e. Memorandum of Understanding Respecting the development and implementation of the 
Manitoba Enhanced Identification Card and Enhanced Driver's Licence Program between the 
Government of Canada and the Government of Manitoba 
¢ Memorandum of Understanding Respecting the development and implementation of British 
Columbia's Enhanced Driver's Licence and Enhanced Identification Card Program between the 
Government of Canada and the Province of British Columbia 
e Addendum to the Memorandum of Understanding Respecting the development and 
implementation of Ontario's Enhanced Driver's Licence and Enhanced Photo Card Program 
e Addendum to the Memorandum of Understanding respecting the development and 
PE implementation of the Manitoba Enhanced Identification Card and Enhanced Driver's Licence 
Program 


* 
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Addendum to the Memorandum of Understanding Respecting the development and 
implementation of British Columbia's Enhanced Driver's Licence and Enhanced Identification Card 
Program 

Secondary Processing and Passage History IT Threat and Risk Assessment (TRA) 
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| The following signature represents a The following signature represents a commitment [ 
| commitment to comply with sections 4 to 8 of by the Head of the institution or his/her 
| the Privacy Act and the related privacy policy delegate(s) who is responsible for establishing 
| requirements outlined in the CBSA PIA as they personal information banks in accordance with | 
| relate to the administration of the identified section 10 of the Privacy Act. | 
| program or activity. 
JUL 1 8 2017 - 
a aa 

| 

| 


omplian 


Note: The table below must be used to keep an account of actions completed and to track outstanding actions required to 
achieve privacy compliance: 


Privacy Action required to support legal and policy compliance Done Tobe 
Compliance (cross reference to relevant question of Section 5 — Privacy . done 


Analysis question Compliance Analysis) 
H 


n Legal authority for the program or activity has been established andis X |] 
reflected in the relevant PIB. : 


2 a) The categories and elements of personal information to be 
collected for the new program or activity have been carefully 
assessed based, for example, on the CBSA's experience gained with x 
the administration of a similar program or activity. The personal | 
data collected will be limited to only that which is required.) 
b) Categories and elements of personal information have been 
described in the relevant PIB for the program or activity. 


c) Controls and procedures will be implemented to ensure the CBSA | 
does not collect more personal information than necessary forthe 7 | 
program or activity and that a continuing need exists for the 
personal information and its collection. 
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Privacy Action required to support legal and policy compliance Done - To be 
Compliance (cross reference to relevant question of Section 5 — Privacy | . done 


Analysis question Compliance Analysis) 
" 


4and 5 a) All of the requisite "Privacy Notices" and "Consent Statements" 
that meet the requirements of sections 6.2.9 to 6.2.12 of the 
Directive on Privacy Practices have been drafted. (Texts of the 
notices and consent statements must be included as an annex.) For - 
a copy of the CBSA Privacy Notice and Consent Statement | 
template, contact the ATI and Privacy Division. 


b) Controls and procedures have been implemented to keep records 
of individual consents, and to ensure that persons acting on behalf 
of individuals who do not have the capacity to provide consent 
have the authority to do so under section 10 of the Privacy 
Regulations. 


7 a) ARecords Disposal Authority (RDA) has been approved by Library 
| and Archives Canada to authorize the disposal of the records 
containing personal information for the program. 


b) Controls and procedures have been implemented within the | KK 
program or activity and the CBSA ATI and Privacy Division to 
E ensure that information that has been used for an administrative 
purpose will be kept for the minimum retention period 
established by the Privacy Regulations. 


C) Reference to the RDA, the retention period and the disposition 


Other Privacy Considerations related to specific principles that are not explored in the previous 17 sections: 
(these considerations should be explored in the Executive Summary) 


Openness Describe how the results of any privacy impact assessment or audit DJ] : [i 
will be made available to the public. The Executive Summary will be 
published on the external CBSA ATI and Privacy Division website at 
http://www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia- 
efvp/atip-aiprp/pias-sefp-eng.html 


Are policies and practices relating to the proposal's management and 
handling of personal information available to the public? 


Is there a communications plan to explain to the public how personal 
a information will be managed and protected? 
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Privacy Action required to support legal and policy compliance Done Tobe 
Compliance | 

Analysis question 
# 


(cross reference to relevant question of Section 5 — Privacy | done 
Compliance Analysis) v 


such information and/or communicate with appropriate individuals 
with respect to policies and practices relating to management and 
protection of personal information? 


Where appropriate, will public consultation take place on the privacy 
implications of the proposal? 


Individual's Access isthe system designed to ensure that an individual can have access to 
to his/her personal information, including all other programs or | 


annales applications that have received copies of the information? s. 12(1) 


make privacy requests or requests for the correction of personal 
information? s. 12 (2) 


If appropriate, are individuals provided with access to their personal 


Challenging Are the complaint procedures for the proposed program or service 


To improve information management practices and standards, hasa Wad L] 
procedure been established to log and periodically review the nature, : 


Commissioner, issued reports or opinions on issues that would be 
relevant to the proposal? 
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fice of the Privacy Commissioner Expectations 


In their March 2011 document, Expectations: A Guide for Submitting Privacy Impact Assessments to the 
Office of the Privacy Commissioner of Canada, the Office of the Privacy Commissioner (OPC) has 
expressed the importance of analysing the risks of the project, program or initiative against the ten 
universal privacy and fair information practice principles of the Canadian Standards Association Model 
Code for the Protection of Personal Information. 


The most relevant demonstration of the privacy risk and compliance analysis is the action plan. The OPC 
has said the following in their Expectations guide with respect to the action plan: 


Once privacy risks and their proposed mitigating measures have been identified, we expect to 
see an Action Plan drawn up by the institution, indicating a specific time frame for remedying or 
mitigating the risks that have been identified, and if possible, naming a specific person or staff 
position accountable for taking action. 


The action plan must list all privacy risks and compliance issues identified in the PIA and supplementary 
documentation. All risks and issues must be organized by the 10 universal privacy principles. 


All recommendations and proposed mitigation strategies must also be described in the action plan. 
identify the responsible program area and the timeline for completion or implementation of the 
strategy. The ATI and Privacy Division will provide programs with an action plan template to be 
addressed near the end of the PIA process. 


The expectations of the OPC for each privacy principles are included below for your reference. 


Accountability 

Under this principle the OPC would expect to see documentation of an administrative structure for 
privacy, including input from legal services, access to information and privacy and information 
technology branches within an institution, with defined processes for determining when new projects 
require PIAs, for carrying them out, implementing mitigating measures and auditing for assurance of 
compliance. We expect PIA reports to be signed off at the appropriate level, and that training in privacy 
issues and procedures has been documented and is refreshed with employees regularly; and that 
privacy protective language is included in all contracts with third parties handling personal information 
in accordance with TBS guidance documents and internationally accepted best practices; and that 
regularly scheduled privacy compliance audits will be undertaken and the findings acted upon. 


Identifying Purposes 

The Privacy Act restricts federal government institutions to the collection of persona! information that 
relates directly to an operating program or activity of the institution, so we would expect to see a clear 
description of the program and why each piece of information is needed; a description of the legislative 
authority for the collection; a clear listing of all the data elements collected; copies of any relevant 
documents such as application forms identifying the purpose for the collection or on-line notices of use; 
a copy of an up to date Personal Information Bank (PIB) description; a statement of any proposed new 
consistent use of information previously collected and a clear rationale as to how the use is reasonable 
and directly connected to the original collection — this may include an analysis of how an individual to 
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whom it relates would reasonably expect it to be used for that purpose; a statement outlining any 
intended secondary uses of the information; whether the information is collected directly from the 
individual and if not, why; and a description of how personal information used for planning, forecasting 
or statistical purposes would be anonymized or de-linked from individual identifying information. 


Consent 

This is closely tied to the Identifying Purpose principle. Under this principle, OPC would expect to see a 
copy of notification language on forms or websites; a clear description of the purpose for collection; a 
rationale for not seeking consent, as is provided for in the Privacy Act; for web sites, a copy of the 
Privacy Notice Statement under which personal information is submitted to the institution. 


Limiting Collection 

Under this principle, OPC would expect to see a clear justification of the need for each data element 
collected, in keeping with the requirement of the Privacy Act that no personal information is to be 
collected by a government institution unless it relates directly to an operating program or activity of the 
institution; an indication that a data minimization exercise has been undertaken to ensure that each 
data element is necessary and that this exercise will be refreshed regularly; and that information 
collected from another department for a secondary use will be purged of all but the essential data 
elements before use. 


Limiting Use, Disclosure and Retention 

Under this principle, OPC would expect to see a description of the specific uses and proposed 
disclosures of the information; a clear statement limiting the use of the information to the purposes 
identified; a clear retention policy and disposition schedule that is also noted in the PIB; a process for 
destruction of the information that is in keeping with the Privacy Act and Regulations; copies of MOUs 
or agreements with third parties to whom information is disclosed governing its use, retention and 
disclosure, and clauses with contractors or sub-processors of information indicating the originating 
institution has the right to audit for compliance with privacy provisions. 


Accuracy 

Under this principle, OPC would expect to see a description of the process used by entities to ensure 
accuracy, particularly when administrative decisions are made; a description of how changes to records 
are logged and monitored; a statement of whether automated decision-making based on risk profiles is 
being undertaken and how automated decisions are vetted for accuracy; an explanation of the 
processes open to individuals seeking to correct information; a description of the process by which 
second or third parties to whom information has been disclosed will be notified of changes and 
corrections to the record; and a description of how audit trails of records transactions are monitored 
and evaluated. 


Safeguards 
OPC would expect to see under this principle a description of the physical and electronic safeguards that 
are in place to protect information; a Threat & Risk Assessment (TRA) with emphasis on privacy risks and 
concerns and a discussion of how these concerns have been remedied or addressed; a notation that 
encryption is used for personal information both in transit and at rest; a description of how system logs 
of information transactions are monitored for inappropriate use, including viewing of the information; 
d strong electronic access control, including controls on remote access, and the use of mobile devices; 
policies for the use of portable storage devices such as flash drives; a description of role-based access 


ON 
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controls; and a description of the steps taken to ensure complete destruction of the information at the 
end of its life cycle. 


Openness 

Under this principle, OPC would expect to see a summary of the PIA written in plain, understandable 
language, posted on the institutional website in a manner accessible to the general public and 
containing a link to the relevant PIB description in CBSA Info Source; for particularly sensitive or privacy 
invasive programs we would expect to see the public communications plan described in the PIA, 
including a variety of methods such as posters, brochures and media announcements as well as detailed 
discussion of the PIA in the institution's Annual Report under the Privacy Act; a description of 
consultations with key stakeholders and the privacy risks or concerns raised should be readily available 
on the website; the name and contact information of an individual accountable for the handling of 
personal information should be easily obtained through the website or by calling the institution's main 
public number. 


Individual Access 

Under this principle, OPC would expect the PIA to include a description of any informal process the CBSA 
may have in place for access to and correction of personal information; an up to date and 
comprehensive description of information contained in the PIB corresponding to the initiative; a 
description of the process by which information in the hands of third parties is corrected following 
requests; a description of how the general public is made aware of these processes, for example, by a 
link and/or a toll-free number shown on the home page of the institutional website. 


Challenging Compliance 

OPC would expect to see the PIA address this principle by indicating clearly who is responsible for 
receiving and resolving privacy complaints; describing complaints that may have been received in any 
similar activity or pilot project and how they were handled; including privacy issues in project 
evaluations or feasibility reports; describing how and when compliance audits for privacy will be 
undertaken; including information on how to file a complaint with OPC under the Privacy Act; and 
reporting in some detail on specific and/or systemic privacy issues in its Annual Reports. 
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ersonal Information 
The Description section in a personal information bank (PIB) describes the personal information 
in the records to which the bank relates. Treasury Board Secretariat has established the 
following categories of personal information, which give examples of specific elements of 
personal information that fall under each category. The purpose of the categories is to reduce 
the number of personal information elements that need to be listed in the Description section. 
These categories are representative of the personal information collected by most institutions, 
and they now appear in many of the CBSA registered PIBs. The ATI and Privacy Division 
modified the original list to reflect CBSA business lines. 


Biographical information (e.g. work history, curriculum vitae, family information, 
Passenger Information, etc.) 
Biometric information (e.g. blood type, eye or facial scan, DNA, finger / hand prints, etc.) 
Contact information (e.g. work and / or home information, including postal and e-mail 
addresses, telephone, fax, cell phone numbers, etc.) 

Citizenship status or Nationality (e.g. citizen, landed immigrant, etc.) 

Crew detailed information 

Criminal checks / history (e.g. information related to criminal record checks, 
investigations, charges, conviction dates and locations, pardons, etc.) 

Date of birth 

Date of death 

Destination City 

Employee identification number (e.g. Personal Record Identifier) 

Employee personnel information (e.g. records of attendance and leave, notices of 
disciplinary action, alternative work arrangements, decisions concerning compensation 
and fitness for work, official languages qualifications, salary, deductions, level of security 
clearance, performance reviews and appraisals, rating board assessments, including 
evaluation notes from staffing boards, training and development course applications 
and evaluations, etc.) 

E-Ticket Information 

Financial information (e.g. income, investments, mortgages, loans, orders of 
garnishment, financial institution information for direct deposit and other banking 
purposes, including name and branch number of institution, account number(s) and 
name(s) on accounts, etc.) 

FOSS ID / GCMS UCI / IBAS Ref # 

Gender 

Itinerary Cities 

Language (e.g. mother tongue, official and other languages, etc.) 

Medical information (e.g. psychological assessments, blood type, etc.) 

Name (e.g. last name (surname/family name), given names (first, second or more), 
maiden name, nicknames, aliases, etc.) 

Opinion or views of, or about, individuals 

Passenger Name 

Passport Number or Travel Document Number 

Place of ticket purchase 
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Photos 

Physical attributes (e.g. height, weight, color of hair and eyes, physical markings (scars, 
tattoos, body piercing), etc.) 

Place of birth 

Place of death 

Port of Embarkation and Port of Debarkation 

Signature 

Special Travelling Considerations such as Employee Pass, Buddy Pass and Parental 
Passes 

Visa Number 
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This privacy impact assessment (PIA) is intended to assess privacy risks within the Canada Border 


Services Agency's (CBSA's) planned demonstration of facial recognition (FR) technology at Pearson 
International Airport, currently expected to begin in early 2016. This project is divided into two phases. 
The demonstration phase will last for six months and will use facial recognition technology to match 
travellers against a database of previously deported persons (hereinafter referred as the "Previous 
Deportation Database" or PDD). This will be followed by a three- to six-month lab evaluation phase 
where the technology's performance will be assessed. Currently, the CBSA has no definitive plans to 
deploy this technology for full-time operational use. The solution described in the PIA is a demonstration 
to test the efficacy of FR software in an operational border context. The success or failure of the project 
will assist CBSA senior management in making further testing decisions regarding FR technology use 
within the border context. The CBSA recognizes that any future testing or use of FR technology will 


require an additional PIA. 


This PIA has been drafted using the CBSA Policy on the Overt Use of Audio-Video Monitoring and 


completely separate from the CBSA's existing use of Overt Audio/Video surveillance. The AV Policy was 
implemented on August 15, 2011, revised in November 2012, and updated again in July 2013. The 
current version the policy dates to November 2013. No audio will be collected or used in this project. 


who have been deported after being admitted into Canada. These travellers have been deemed 
inadmissible for any of a number of reasons, such as security, criminality, health grounds, 
misrepresentation, or non-compliance with the IRPA. Many of these inadmissible travellers try 

persons and other, similar lists to identify inadmissible travellers at ports of entry (POEs). Many such 
travellers, however, use false identity documents, or even legally change their names in their home 
countries and obtain new, legal travel documents under their new names. Name-based lists such as 
those currently in use have inherent limitations which can be overcome using biometric technologies. 
Although FR technology is widely available for a variety of applications, the use of face recognition with 
live video has not yet been tested in an operational environment by a Canadian law enforcement body. 
The CBSA is planning to conduct this demonstration of FR technology to assess whether this technology 
solution is effective, feasible, and accurate for identifying inadmissible travellers in a busy Port of Entry 
environment. 


The CBSA plans to deploy multiple project-specific cameras in the CBSA-controlled area of the 
international arrivals section of Terminal 3 at Pearson International Airport. The cameras for this project 
will not be connected to the existing camera network that supports video surveillance at Terminal 3. 
Also, the project cameras are connected to the project's FR server and associated applications, but not 
existing CBSA information systems. 


Areas and activities that may be monitored or recorded include, but are not limited to: approaches to 
the arrivals hall, approaches to Primary Inspection Line (PIL) booths, during PIL interviews, approaches 
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travellers seeking admission into Canada as they move through the CBSA-controlled area. This 
technology will not be used in Customs Controlled Areas outside the CBSA's traditional processes. 


These cameras will record and store images of travellers' faces. No audio will be collected or used in the 
FOTM project. A dedicated FR system will compare these "live-capture" images with a database of 
stored images of persons who have previously been deported or removed from Canada that is specific 
to this technology demonstration . The system will notify CBSA officers when a match is detected. After 
human review of the match, an officer will be dispatched to find the traveller to refer them to secondary 
inspection. Some cameras, known as "scene cameras", will also record video of the areas under 
surveillance. These video recordings will show what a traveller is wearing and carrying and who they are 
with; this will make it easier for the CBSA to identify and find the traveller in the airport if the traveller is 
matched by the system with a person of interest. 


As the CBSA has no guarantees that a PDD individual will enter through Terminal 3 during the project, - 
volunteer CBSA employees (defined as "actors" throughout this document) will have their photographs 
and fictitious bio-data elements stored in the FR system as well. 

After six months of operation, the equipment will be re-located from Terminal 3 to the CBSA's Science 
and Engineering Directorate (SED) lab in Ottawa, where further tests will be conducted to measure and 
possibly improve the system's performance. 


Protecting your Personal Information 


In order to carry out its mandate, the CBSA must collect a wide variety of personal information. The 
collection of this information is required in order for CBSA officers to make admissibility decisions 
regarding persons who wish to enter Canada. Although the CBSA is already using overt video 
surveillance, this technology demonstration will involve putting that information to a new use that 
supports the CBSA's admissibility determination processes. The differences between the current AV 
program and the Faces on the Move demonstration are in the ways the information will be used and the 
length of time it will be retained. 


Through the use of closed-circuit television (CCTV) technologies, as described in the P/A on the Overt Use 
of Video Monitoring and Recording Technology that was submitted to the Office of the Privacy 
Commissioner (OPC) in November 2013, the CBSA is capturing the physical images of travellers or 
members of the public (although these images are not current being used to support admissibility 
decisions), in addition to the other elements of personal information already collected. Within the 
CBSA, only those employees who require access to video recordings or photographs as part of their 
duties are permitted to do so as per CBSA policies and procedures. 


Some personal information collected through the Faces on the Move demonstration may be used in 
support of the CBSA's admissibility determination process. As a result, photographic and video records 
(excluding FR templates and related data) may be disclosed internally to CBSA personnel. Within the 
context of this time-limited technology demonstration, photographic and video records will not be 
shared with any external stakeholders. 


Any access to or disclosure of facial photos, scene camera recordings, or PDD records will be governed 
by the provisions of the AV Policy. 
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qm Retention 


The retention practices for the Faces on the Move demonstration will be governed by the provisions of 
the AV Policy, with some variances. In particular, facial photographs, some scene camera recordings, and 
PDD records must be retained until the end of the project. All records will be destroyed at the end of 
the project, except for records that were used for an "administrative purpose" (e.g., where a match was 
verified and a traveller was identified and diverted to secondary screening). Any records used for an 
administrative purpose will be retained for two years following the date of last use in accordance with s. 


4 of the Privacy Regulations. 


Right of Access 


All records, regardless of storage medium, will be stored either in a locked cabinet (container or a safe) 
orina secure room designed in accordance with specifications approved by the Infrastructure and 
Information Security Division of CBSA. 


Records will be securely retained in accordance with established policies and guidelines, and may be 
disclosed within the CBSA. For the duration of this time-limited technology demonstration, records will 
not be shared with external organizations. 


Individuals may formally request access to their personal information, or access to corporate records 
s to or created as a -EBSUR oft the Faces on ined Move project contacti ting the Access to 


SEO te, 


requi irements specifi fied on 1 the Treasury Board of Canada Secretariat! Personal E mation s Request form, 
individuals requesting information described by this bank must provide the subject and date of 
correspondence, incident and location and legal authority for those acting on behalf of an account 
holder or estate. 


Accountability 


if individuals have concerns about the collection, use, disclosure or retention of their personal 
information, they may issue a complaint to the CBSA ATIP Division. Complaints should be made in 
writing, and include their name, contact information, and a brief description of their concerns. Contact 
information for the ATIP Division at the CBSA can be found here: 


Venen 


http: //cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia-efvp/atip /contact-eng.html 


To make a compliment, comment or complaint, the CBSA has made available a feedback form to help us 
to understand our clients and improve the delivery of our programs and services. Information on 
providing feedback can be found here: 


sfc.gc.ca/contact/com-eng. htm! 


The CBSA posted a Video Recording and Monitoring Privacy Notice on its external website on November 
19, 2012. This Privacy Notice states: 
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The Canada Border Services Agency (CBSA) uses video monitoring and recording 
technology to fulfill its mandate and to increase its ability to protect the public, and to 
protect employees and assets of the Agency. The use of video monitoring and 
recording technology is an integral part of the CBSA's security framework and 
operations management. 


Cameras monitor and record CBSA operations at ports of entry and inland offices. 
Areas and activities that may be monitored or recorded include, but are not limited to: 
primary interviews, secondary examinations, interactions at CBSA information 
counters, cashier counters, commercial counters, detention cells, and interview rooms. 
Cameras may also monitor the movement of travellers and goods from one point ina 
CBSA operation to another, for example, from primary to secondary. 


Use of Recordings 


The CBSA collects personal information using overt video monitoring and recording 
technologies at ports of entry and inland CBSA service locations, to carry out the 
mandate of the CBSA under the authority of the Canada Border Services Agency Act. 
Recordings may be used to investigate suspected offences related to border 
legislation, and may be used as evidence in court proceedings. Recordings may also be 
disclosed as permitted by legislation to the Canadian Security Intelligence Service, the 
Royal Canadian Mounted Police, and/or to municipal, provincial or local law 
enforcement agencies to investigate or enforce federal laws. 


Retention and Disposal 


Any new or replacement video monitoring and recording equipment must be able to 
retain recordings for no less than 30 days. Recordings that are used by the CBSA shall 


be kept for two (2) years following the date of their last use. 


Upon expiry of the above retention periods, recordings are permanently 
. deleted/overwritten, or in the case of removable media, recordings are physically 
destroyed. 


Access to Information 
individuals have the right to access their personal information and the right to ensure 


their personal information is appropriately protected under the Privacy Act. The 
information collected is described in info Source under the Overt Audio-Video 


Surveillance Personal Information Bank CBSA PPU 1104. 
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IAT 


| audio-video 

. Policy on the Overt Use of Audio-Video Monitoring and Recording Technology 
certificate authority 

. Canadian Armed Forces 

- E Canada Border Services Agency 
closed-circuit television 

. compact disc 

: Community of Practice 

— Canadian Police Information Center 
Canadian Security intelligence Service 
. Centre for Security Science 

| : Canadian Safety and Security Program 


| data flow diagram 
: v . Department of National Defence 
| Defence Research and Development Canada 
digital video disc / digital versatile disc 
s Wo Field Operations Support System 

| | Faces on the Move 

Facial Recognition 
Global Case Management System 
Human Resources 
identification 
is intrusion detection system 
. Institute of Electrical and Electronics Engineers 
" Immigration and Refugee Board 
~ : immigration and Refugee Protection Act 
| Information, Science and Technology Branch 


Multi-Institutional Disposition Authorities 


Operational Security Standard: Management of Information Technology Security 
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.. not applicable 


National Case Management System 
| puer s . Office of the Privacy Commissioner 
_ program activity architecture 

| Previous Deportation Database 
| . privacy Impact assessment 
personal information bank 
Primary Inspection Line 

public key infrastructure 


POC _ — Privacy Oversight Committee 


port of entry 


Public Safety Canada 


- Royal Canadian Mounted Police 
o Records Disposition Authority 

| Ut radio frequency identification 

Science and Engineering Directorate 

| uocis Inzncance number 

statement of sensitivity 

|... Treasury Board of Canada Secretariat 

oe S Transport Canada 


threat and risk assessment 


universal serial bus 


| VPN _ _ - c _ virtual private network 
Wi-Fi E v ~ Atrademarked term that identifies wireless networking products that comply with 


Faces o on nthe Move: Mutti- camera a Screenin 
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The es Act defines an sadnite purpose” "to be the use of an | individual's 
personal information in a decision-making process that directly affects that 
individual, 


is a use that has a reasonable and direct connection to the original purpose(s) for 
which the information was obtained or compiled. This means that the original 
purpose and the proposed purpose are so closely related that the individual would 
expect that the information would be used for the consistent purpose, even if the 
20 0 useis not spelled out. 


c As used in this report, is the technologies and processes used to identify a person by 
; | comparing a digital image or video frame of the person's face with a database of 
.. known facial images. 


| ource _  Îs a series of annual Treasury Board Secretariat publications in which government 
-~ . institutions are required to describe their institutions, program responsibilities and 
information holdings, including PIBs and classes of personal information. The : 
F _ _ — descriptions are to contain sufficient clarity and detail to facilitate the exercise of the 
| right of access under the Privacy Act. Data-matching activities, use of the SIN and all _ 

activities for which privacy impact assessments were conducted have to be cited in 

i info Source PIBs, as applicable. The info Source publications also provide contact 

information for government institutions as well as summaries of court cases and 
statistics on access requests. 


. Is a description of personal information that is organized and retrievable by a 
— person's name or by an identifying number, symbol or other particular assigned only 
to that person. The personal information described in the personal information bank 
has been used, is being used, or is available for an administrative purpose and is 
under the control of a government institution. 


e . The term "Primary Inspection Line" is used to refer to the point at which the person 
entering Canada makes a report of his or her person and goods as required under 
the Customs Act and the IRPA. The CBSA has PIL booths from which officers conduct 
~ e 200 primary examinations. 


“Scene c c mera c |J... Avideo camera deployed as part of the Faces on the Move project that records 
| wide-angle video scenes at various locations in the CBSA-controlled areas of 

Terminal 3 at Pearson International Airport. When a potential match from the 
Previous Deportation Database is identified, a short video clip from a scene camera 
will be added to the match record. The video clip will be centred in time and space 
on the matched facial image. It will show the larger context of the potentially 
matched traveller by showing what the traveller is wearing and carrying and the 
people around the traveller. 


As defined by Library and Archives Canada and for the purposes of this policy are 
those records that have no enduring value to the CBSA. They are records that are 
required only for a limited time to ensure the completion of a routine action or the 
preparation of a subsequent record but do not include records that are required to 


control, support or document the delivery of programs, to carry out operations, io 
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Definition) 


A database of selected previously deported persons created specifically for the Faces 
on the Move project. The database will contain facial images and related 
. biographical information (e.g., name, date of birth, warnings) extracted from the 
CBSA's existing Previously Deported Persons list. The database will contain entries 

for persons who have been deemed highly likely to attempt to return to Canada 
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. This section below provides an overview of the project. It is supported by the remaining sections of this 
PIA and is intended to ensure a description of the project is clear at the onset of reviewing this 
document. 


A. Background/Overview 

in 2014, the Canadian Border Services Agency (CBSA) received funding from the Defence Research and 
Development Canada (DRDC) for a project that will test the readiness of facial recognition (FR) 
technology as a means of screening against a database in an operational environment. This Privacy 
impact Assessment (PIA) provides the background on the project, its partners, the test period (herein 
referred to as the "demonstration period"), the evaluation period, and the associated privacy risks. The 
project is called Faces on the Move (FOTM). 


B. DRDC and CSSP 

As an agency of Canada's Department of National Defence (DND), the DRDC provides DND, the Canadian 
Armed Forces (CAF) and other government departments as well as public safety and national security 
communities the knowledge and technological advantage needed to defend and protect Canada's 
interests at home and abroad. 


in 2012, the DRDC established the Canadian Safety and Security Program (CSSP), which aims to invest in 
science and ul. i that will Men dun Canada's dd to he prevent mi Me 


CSSP | is od dis DRDC 5 Centre for Secus ene (css), | in one ip with Pu pli ic Safer Ca nada (PSC) 
and uses a collaborative model that gathers the best minds from government, industry, academia, 
response and emergency management agencies, and international organizations to work on the most 
pressing safety and security issues facing Canadians. 


That collaborative model extends to the manner in which the CSSP/DRDC provides funding for various 
types of projects, which must meet CSSP requirements identified through risk and vulnerability 
assessments and are associated with the priorities established by the CSSP; one of which is border and 
transportation security. CSSP-funded projects allow public safety and security professionals to work with 
science and technology experts to identify challenges, develop knowledge and tools, and provide advice 
that will help pcm Canada, its people, and institutions. Currently, the CSSP funds approximately 200 
projects and activities which are led by either federal, provincial, territorial and municipal governments, 
or academic insti ae through federal contracting mechanisms managed by Public Works anc 
Government Services Canada. 


One of the funding avenues for the CSSP is the Call for Proposal process which invites all levels of 
siete chou a and d academia to submit inei proposa is id innovative E and docilis iad 


de soit of B iin $ d rin tomewod. indiga end si dp privates sector dioi wh 
government programs to address a specific issue. Upon approval by the DRDC of a proposal, the lead 


* Thi s section was adapted from multiple sections of the DRDC website found here: httn://w 
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organization is able to use the DRDC funds to hire its partners (identified in their proposal) to assist in 
project delivery. 


C. CBSA Proposal and Project 

in 2013, the CBSA submitted a proposal to the DRDC/CSSP via the Call for Proposal process to seek 
funding to test FR technology within a border context. The proposal included the following private 
sector and academia partners: 


+ Face 4 Systems (formerly known as NextGenlD) 
+ ADGA Group Consultants Inc. | 
e Université du Québec ~ Montréal (specifically the École de Technologie Supérieure - ETS) 


in 2014, based on the CBSA proposal, the DRDC awarded funds to the CBSA to assist in the testing of FR 
technology. in-kind funding by the CBSA through the use of employee resources, project management, 
and technical expertise was needed to ensure the project budget was appropriate. 

Within the CBSA, the Information, Science and Technology Branch (ISTB), and specifically the Science 
and Engineering Directorate (SED), will lead the project in consultation with Programs Branch and 
Operations Branch. The Traveller Program Directorate is the Programs Branch sponsor and, in part, is 
the approving authority for this PIA. ISTB has led a working group consisting of working-level 
representatives from the following areas to ensure broad consultation and awareness of the project: 


* Comptrollership (Security and Professional Standards) 

* Corporate Affairs (Communications and ATIP Policy & Governance) 

+ Border Operations 

+ Enforcement and Intelligence Operations 

+ {STB 

«+ Traveller Program Directorate 

e Traveller Program Transformation 

* Greater Toronto Area Region (location of the demonstration — Pearson Airport) 


applications. The CBSA anticipates the technology could assist in overcoming some of the limitations of 
name-based lists. Specifically, it can assist in identifying travellers who are known to be inadmissible 


who seek to enter Canada using false identity documents or documents issued under different names. 


The demonstration period will begin in early 2016 (for period of six months) at Terminal 3, Toronto 
Pearson International Airport (YYZ). In order to demonstrate the solution, additional cameras will be 
installed and configured before the beginning of the six month-long demonstration period. In addition 
to camera installation, a secure server, workstation equipment, handheld devices, and software will also 
be installed. The cameras and associated wiring will operate separately from the existing CCTV network 
within the terminal and will be positioned and utilized in accordance with the CBSA's Policy on the Overt 
Use of Audio-Video Monitoring and Recording Technology; it is noted that only images and video are 
captured by the project-specific cameras and audio will not be captured or used. 
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pu D. Project Roles and Responsibilities 

| The funding provided by the DRDC allows for the CBSA to procure the services and products of the. 
partners identified in the proposal. Therefore, once the DRDC approved the funding, the CBSA was able 
to sole-source hardware, software, and consulting services from the proposal partners. In that regard, 
the following provides an overview of the roles and responsibilities of partners and stakeholders in this 
project: 


1. Defence Research and Development Canada (DRDC) 
The FOTM project is managed by the DRDC's CSS with CBSA's SED providing the project 
management function. The DRDC provides oversight to ensure its funding is used appropriately. 


2. CBSA Science and Engineering Directorate (SED) 
SED, a directorate under ISTB, will manage the project, coordinate all entities of the project, and 
is responsible for internal reporting (CBSA senior management) and external reporting (DRDC). 
The funds provided by the DRDC require quarterly reports as well as a final report which the SED 
is responsible for producing. From an IT Project Management perspective SED is the Project 
Authority and the Technical Authority. 


3. Faced Systems (formerly NextGenlD) 
Faced Systems is a Canadian-based (Ottawa) company which designs, develops, deploys and 
supports FR security products, services and solutions for government and private organizations 
around the world. Face4 Systems’ products focus on live face capture and face image quality 
analysis and processing. The company is a value added re-seller of FR software made by 
Cognitec, which is headquartered in Dresden, Germany with satellite offices in the U.S., 
Australia, and Canada. For this project, Face4 Systems will provide the following: 


* Purchasing cameras, server, desktop workstation {for BSO Adjudicator) and the 
handheld devices (For BSO Rover) 

e Installation and removal of the above products 

+ Training on the products 

+ Component testing of the products 

+ Technical support 

*. Assist in evaluating the results of the demonstration 


Face4 Systems staff will have access to the PDD photos, images and videos taken from the 
cameras, and other personal information as part of its responsibility to assist in evaluating the 
demonstration. Access to all personal information will be limited to a CBSA location. 


4. Université du Québec (Ecole de Technologie Supérieure (ETS)) 

test plan and system assessment methodology for post-demonstration scientific analysis during 
the evaluation period. After the demonstration, ÉTS staff will analyze performance data (match 
scores) from the Montreal campus of the University of Quebec. The performance data does not 
include any personal information. 
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tm 5. ADGA Group Consultants, Inc. 
The ADGA Group is responsible for authoring the PIA for the project. The company and its 
consultants play no further role in the project. 


As part of any CSSP-funded project, there are two additional participants that are best described as 
passive participants: the Community of Practice (CoP) and an External Advisory Committee. 


1. Community of Practice 


who share a common interest in a given area of expertise and work together to facilitate 
knowledge-sharing and collaboration. CoPs are an essential element of the CSSP, providing 
access to a rich pool of collective knowledge and experience to support the development of new 
or enhanced science and technology knowledge and capabilities and to provide advice and 
guidance in the development of evidence-based policy, decision-making and operational and 
strategic planning. Members of the CoP may be provided access to regular project updates, the 
final scientific analysis report, and may be invited by DRDC to attend a final presentation; 
however, none of the information provided to the CoP contains the personal information of 
actors or individuals from the PDD. 


For this project the CoP includes the following government institutions: Canadian Security 
Intelligence Service (CSIS), Transport Canada (TC), Royal Canadian Mounted Police (RCMP), and 
the CBSA. | 


pi 2. External Advisory Committee 
The External Advisory Committee comprises organizations that have expertise or interest in the 
area of a DRDC-funded project; in this case, biometrics. The Committee meets quarterly and 
provides the project with feedback on relevant information from the subject area. 


For this project, the External Advisor Committee includes: CBSA, RCMP, PSC, TC, Calgary Police, 
the Office of the Privacy Commissioner of Ontario, and the U.S. Department of Homeland 
Security. These organizations have had prior experience or involvement in projects related to FR 
technology. For example, the Ontario Privacy Commissioner has experience with the 
implementation of FR in Ontario casinos to identify self-reported problem gamblers attempting 
to enter a casino. Also, the Calgary Police has implemented FR technology to match crime-scene 
photos to its collection of mug shots. 


The Committee is not provided any reports or verbal communication containing the personal 
information of actors or PDD. | 


E. Overview of the Technology Demonstration 

Section 6 of this PIA provides a detailed explanation of the technology demonstration and how it will be 
deployed, utilized, and analyzed. The diagram and text that follows is provided as a high level 
explanation, which supports Section 6. 
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Figure 1: High-level System Overview 


| _ As part of the project, a dedicated server will be installed with no connection to any CBSA 

grs  ..- information system or to the existing CCTV network. The server will run the FR software and will 
be connected to the cameras that will be installed solely for this project. The server will also store 
personal information on two groups of individuals: the control group, who are actors from among 
volunteer CBSA employees; and the operational group, which consists of extracts from an existing 
inventory of Previously Deported Persons maintained within existing CBSA systems. The database that 
will be uploaded to the server will be limited to 5,000 individuals who have been previously deported 
and have attempted to return to Canada at least one time in violation of their removal order. 


in this first step, the cameras will capture still images and video of individuals entering the CBSA- 
and matched with the previously uploaded PDD and actors using FR software provided by Face4 
Systems. 


In Step 2, if the FR software identifies any potential matches, it sends a match notification to a 

Border Security Officer (BSO), identified for the purposes of this project as an “adjudicator”. The 
dedicated workstation located inside a secure Surveillance Centre will have an application installed 
locally that receives the possible match notification from the FR server and prompts the adjudicator for 
a decision. The adjudicator is presented with an image of the match from the PDD and images from the 
Terminal 3 cameras to make the adjudication decision, as well as a five second video of the individual. 


If the BSO adjudicator believes a match has occurred, a BSO Rover ( BSO patrolling the CBSA- 
controlled section of the airport) is notified via a project-specific handheld device. 


Communication between the adjudicator workstation and the Rover BSO handheld device is over a 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


o. provide the Rover BSO with an image of the individual, a five-second video taken from the project- 
specific cameras and data from the PDD (Name, DOB, FOSS ID#, and alerts). The Rover BSO will use this 
information to locate the individual and validate the adjudicator's match assessment. 


Assuming the Rover BSO is confident that a match exists, the individual is referred to secondary 
examination at Terminal 3 where a BSO will assess the individual's identity and admissibility to 
Canada. Upon escorting the individual to secondary, the Rover BSO will inform the secondary BSO that a 
FOTM match has occurred. All BSOs working in Terminal 3 are aware of the FOTM demonstration and 
that any FOTM match requires independent validation using existing systems and procedures for 
potential matches of the PDD. FOTM procedures for secondary immigration BSOs will clearly state the 
requirement that any FOTM match requires independent identity validation using existing systems and 
procedures. 


| 4 / 


When an operational match results in action being taken with respect to a traveller, such as a referral to 
secondary examination, the match record, including all PDD information, live-capture photos, and scene 
video, will be exported to secondary storage (CD, USB, or similar) in accordance with CBSA policies, 
which require that any interaction with a traveller (i.e., referring the individual for secondary 
examination based on the FR demonstration) must bà kept for two years. The storage device will be 
kept on the individual's file, so that a permanent record of the information that led to the action can be 
preserved; however, evidence supporting deportation will be limited to the identity validation efforts of 
the secondary immigration B50. If deportation is the result of the secondary examination, then norn- 
FOTM data, including video from existing Terminal 3 cameras, will be used to support the deportation 
proceeding. Only in rare and extraordinary cases does CBSA envision FOTM data being a supporting 
Gm, piece of information in a deportation proceeding. 


For the four-step process outlined above and shown in Figure 1 above, the FR system will be configured 
to send a match notification to the adjudicator only if a potential match has a high probability of being a 
true positive match. This will reduce the number of false positives (where the system incorrectly 
matches a traveller's face with an image from the PDD sent to the BSOs. | 
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F. Post-Demonstration Analysis and Report to DRDC 

Once the six-month demonstration period is over, the technology will be removed from the airport for 
cameras, wiring, adiudicator workstation, and the handheld devices. The only potential change to the 
removal plan is that the project cameras may be provided to the POE and be re-wired as they are no 
longer valuable to the demonstration after the demonstration period. At the writing of this PIA, a final 
decision on whether to provide these cameras to the POE had not been made. 


Also following the demonstration period, representatives from the CBSA's SED (as the project lead), 
Face4Systems, and the ÉTS will analyze the demonstration data to scientifically examine the results. 
Faced Systems staff will have access to the personal information that was used during the 
demonstration to determine the effectiveness of the software. Their access to personal information will 
be restricted to a CBSA location. 

Additionally, scientists from the ETS will analyze performance data from the demonstration, which will 
not include any personal information. ETS access to the performance data will be performed outside of a 


personal information of particular cases/individuals. 


G. Goals of the Project 
It is critical to this PIA that there is a clear understanding regarding the goal and intent of the project, 
which is to scientifically test FR software in a border context. 


Therefore, the goal of the project is simply to scientifically test the technology. This PIA and the project 
is not a Pilot Project to test a solution for possible future implementation. There is no underlying pian 

within the CBSA to implement the FR software after the demonstration. The test results of the solution 
may support future CBSA decisions on how to further test FR, but the CBSA is clearly in the very early 


As part of the funding provided by the DRDC, the project team is required to write a scientific report on 
the demonstration and the test results. The report will be made public on the DRDC website and 
disseminated to project stakeholders. The report may also be reviewed by members of the CoP and the 
Advisory Committee. It will not contain any personal information. 


H. Scope of the PIA 

The scope of this PIA is limited to the technology demonstration that is managed by the CBSA' s SED and 
supported by the other CBSA Programs and external organizations as outlined in the previous section of 
this document. As this is substantially different from how the CBSA uses both video surveillance and 
biometric technologies, this PIA has been written to ensure the demonstration is considering the privacy 
implications of the project. By analyzing the privacy principles in conjunction with the demonstration, 
the CBSA is ensuring privacy and the scientific analysis of the technology are both considered when the 
Agency makes future decisions regarding FR technology. 
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This PIA identifies two sets of risks: one that are inherent to the demonstration itself and another that 
are anticipatory and based on the potential future testing and use of FR technology to identify 
individuals in CBSA controlled areas. The latter group of risks are advisory in nature and have no bearing 
on the actual scope of this PIA — the demonstration of the FR technology. Privacy considerations of the 
"actor" group have not been included in the scope of this PIA because this group consists of volunteer 
participants and will not be used for an administrative purpose. 


The CBSA is committed to ensuring that privacy is strongly considered in relation to the use of audio- 
video monitoring and recording technology. If any future projects stem from the scientific results of this 
project, subsequent PIAs will be written to ensure privacy risks and their related mitigation strategies 


are identified before deployment. The CBSA will also ensure subsequent PIAs provide a detailed 
description of the scientific results of the current demonstration. Moreover, CBSA ATIP will continue to 
provide updates to the OPC on various privacy-related projects at the CBSA, including but not limited to, 


any further use of FR and audio-video monitoring and recording. 
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Privacy Impact Assessment | for section 10 of the Privacy Act 


Barry Kong, Director, Program Dan Proulx, ATIP Director, CBSA 


Description of Program or Activity: 


Faces on the Move: Multi-camera Screening is a Project under the Canadian Safety and Security Program 
(CSSP) managed by Defence Research and Development Canada (DRDC). The purpose of the project is to 
demonstrate the operational readiness of FR technology. 

The CBSA will demonstrate FR technology to assess its potential for supporting existing programs as an 
integral part of its security framework to support its admissibility determination and immigration 
enforcement processes. The use of FR technologies could support the Enforcement, Facilitated Border, 
and Conventional Border programs, and could increase the CBSA’s ability to meet its mandate and its 
ability to protect the public and its employees. These potential uses provide the necessary justification 
for CBSA being involved in the testing project, but the project is only intended to test the effectiveness 
Of a FR-based traveller processing solution and provide a scientific assessment of the technology's 
readiness level, That assessment will be used by the CBSA, and other members of the CoP, to better 
enable the Border and Transportation Security Community on the current state of FR technology. 


Most cameras deployed for this project will monitor and record still images of travellers' faces in the 
CBSA-controlled areas of Terminal 3 of Toronto's Pearson International Airport. A smaller number of 
"scene cameras" will record video of travellers as they pass through this area. Areas or activities where 
travellers' facial images may be recorded include, but are not necessarily limited to: approaches to the 
arrivals hall, approaches to PIL booths, during PIL interviews, and the approach to immigration point. 

. Recorded facial images will be compared automatically to a database of persons of interest to CBSA. No 
audio will be collected or used in the FOTM project. The database will consist of facial photographs and 
basic biographical information (name, date of birth, FOSS IDH, and alerts) of actors and from CBSA's 
existing Previously Deported Persons list. All potential matches that have a high likelihood being a true 
match between an arriving traveller and a person on the PDD will be adjudicated immediately by a CBSA 
officer. Potential matches with a low likelihood of being a true match will be reviewed, in bulk, for 
statistical analysis purposes between one to seven days after the travellers' facial images were recorded. 
For each potential match, a short video clip (from a scene camera) taken at the same time as the facial 
photograph will be stored on the FR server dedicated to this project (no connection to any CBSA 
information system). Verified high-likelihood, real-time matches will be communicated to roving CBSA 
officers in the airport, who will attempt to find the traveller and ask him or her to report to secondary 
examination for further discussion. The video clip will aid in identifying the traveller by showing what 
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p the traveller is wearing and carrying. Verified lower-likelihood, non-real-time matches will be analyzed 
statistically, with an objective of reporting on system performance and limitations. 


Through the Admissibility Determination program, the CBSA develops, maintains and administers 
the policies, regulations, procedures and partnerships that enable border services officers to 
intercept people that are inadmissible to Canada and to process legitimate people seeking entry 
into Canada within established service standards. 


In the traveller stream, border services officers question people upon arrival to determine if they 
meet the requirements of applicable legislation and regulations to enter Canada. Border services 
officers will then make a decision to grant entry or refer a person for further processing (e.g. 
payment of duties and taxes, issuance of a document), and/or for a physical examination. 


IMMIGRATION ENFORCEMENT 


The immigration Enforcement Program determines whether foreign nationals and permanent 
residents who are or may be inadmissible to Canada are identified and investigated, detained, 
monitored and/or removed from Canada. 


Foreign nationals and permanent residents of Canada believed to be inadmissibie are investigated 
and may have a report written against them by a CBSA inland enforcement officer. Depending on 
the type of inadmissibility, the merits of the report are reviewed. Subsequent to this review, a 
removal order may be issued against the foreign national or permanent resident in question. 
Removal orders issued against refugee claimants are conditional and do not come into force until 
the claim against the removal order is abandoned, withdrawn or denied by the IRB. 


REMOVALS 


The Removals Program (a sub-program of Immigration Enforcement) ensures that foreign nationals 
and permanent residents with an enforceable removal order are removed from Canada. Once a 
person is removal-ready, an interview is conducted to ensure that a travel document is available 
and that a pre-removal risk assessment is offered by a CBSA inland enforcement officer. Where a 
valid travel document is not available, CBSA inland enforcement officers liaise with foreign 
embassies to secure the required travel documents. 

section 5 of the Access to Information Act. For institutions that develop a Program Activity Architecture (PAA) as per the 

Management, Resources, and Results Structure Policy, the institutional Info Source chapter must align with the programs, 

activities and sub-activities described in the PAA. 


Description of the class of records associated with the program or activity: 

CBSA BPD 1101 

Records include audio/video footage of CBSA operations including primary inspection line (PIL) 
interviews; secondary examinations; interactions at CBSA information counters, cashier counters, 
commercial counters, in detention cells, and in interview rooms to record audio statements made 
under the Immigration and Refugee Protection Act (IRPA). 


CBSA ENF 135 
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subject of an enforceable removal order. May include records related to the establishment or use of 
electronic systems used to administer or manage the program including the Global Case 
Management System (GCMS) and the National Case Management System (NCMS) and the Canadian 
Police Information Center (CPIC). 


CBSA ENF 137 


Information from the enforcement records of persons who have come under examination at a port 
ofentry or an investigation at an inland office. Personal information may include name, address, 
birth date, country of birth, enforcement action undertaken (i.e. inadmissibility reports, arrest 
reports, hearing or removal under the Immigration and Refugee Protection Act (IRPA)), fingerprints, 
digital photographs, personal histories of refugee claimants, immigration applications and the date 


Class of Record Number: CBSA BPD 1101; TBS Registration: 20110287; Bank Number: CBSA PPU 1104 
Class of Record Number: CBSA ENF 135; Bank Number: CBSA PPU 1301 
Class of Record Number: CBSA ENF 137; TBS Registration: 005218; Bank Number: PPU 032 


|. | Proposal for a New Personal Information Bank 


a Proposed new Standard Personal information Bank 
|_| Proposal to modify an existing Standard Personal Information Bank - identify Standard PIB number 
and current description: 


immigration and Refugee Protection Act 


+ Sections 15(1), 16(1), 16(1.1), 16(2), 16(21(a), 16(2)(b), 16(2.1), 16(3), 18(1), and 18(2) 
| immigration and Refugee Protection Regulations 


* Sections 28, 28(a), 28(b), 28(c), and 28(d) 


established, Generally, Parliamentary authority is usually contained in an Act of Parliament or subsequent regulations, or 
approval of expenditures proposed in the Estimates and authorized by an Appropriations Act. If legal authority is unclear 
consult your Legal Service to determine authority for the program or activity. (See question 1 of Section V) 
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w Summary of the project / initiative / change: 


The CBSA works to promote the free flow of travellers and goods into and out of Canada, while ensuring 
that security measures are in place to stop and remove potential threats. Keeping Canada's border open 
to travel and trade, but closed to criminal activity requires the CBSA to manage border operations 
effectively. 


With a workforce of approximately 14,000 employees, the CBSA provides services at 1,200 points across 
Canada. The CBSA also administers more than 90 acts, regulations, and international agreements, many 
on behalf of other federal departments and agencies, the provinces, and the territories. In calendar 
year 2013, the CBSA processed 99.7 million travellers and 14 million commercial shipments. 


The CBSA will demonstrate FR technology to assess its potential to support existing programs as an 
integral part of its security framework to support its admissibility determination process. The use of FR 
technology may increase the CBSA's ability to meet its mandate and its ability to determine the 
admissibility of persons seeking entry to Canada. However, the intent of the FOTM project is to test the 
solution and assist CBSA senior management in any decisions to further explore FR technology. 

Project -specific cameras will monitor and photograph travellers' faces and record video of their overall 
appearance in the CBSA-controlled areas of Terminal 3 of Pearson International Airport, Areas and 
activities that may be monitored and photographed include, but are not limited to: approaches to the 
arrivals hall, approaches to PIL booths, during PIL interviews, approaches to immigration point, and 
within immigration secondary. 


Currently, signage at Terminal 3 includes a bilingual placard that states the following: 
"This area is under video surveillance. Recordings may be used and 
shared in accordance with applicable federal legislation. For more 
information on the CBSA's use of these recordings, please ask to speak 
with a supervisor or visit www.cbsa-asfc.gc.ca" 


At the CBSA, the location of monitoring and recording signage must adhere to three Agency-developed 
principles: 


1. Signs must be posted anywhere video recording technology is being used (Note that the Policy 
on the Overt Use of Audio-Video Monitoring and Recording Technology places limitations on the 
use of AV technology). 


2. Signs must be posted (in order of preference) in at least one of the following areas: just prior to 
entry to a CBSA-controlled area; at entry points to a CBSA-controlled area, or as soon as possible 
after entry to a CBSA-controlled area. 
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3. Signs must be hung in conspicuous locations to allow travelers a reasonable opportunity to 
know that the area that they are in, or about to enter, is under surveillance. 


FR technology will compare the facial images collected from arriving travellers and compare them with 
images of persons of interest on the pre-generated PDD. When the FR system finds a potential match 
between a traveller and a PDD entry, it will attach a short video clip of the traveller (taken by a FOTM 
scene camera). If a potential match has a high likelihood of being true, the FR system will immediately 
notify a CBSA Border Services Officer (BSO) in the Surveillance Centre. The BSO will manually review the 
collected image, video, and the PDD image and make a final adjudication as to the accuracy of the 
match. The BSO will send an alert about the verified match to roving BSOs in the immigration hall using 
wireless technology. The roving officer will receive the alert via a handheld device provided for this 
demonstration (this handheld device is unique to the FOTM demonstration and will not be used for any 


x 


other purpose; these devices will be removed at the end of the demonstration). The roving BSO will 
search for the identified person and, upon finding the person, direct him or her to secondary 
examination. in secondary examination, existing systems and procedures will be used to process the 
traveller. BSOs working immigration secondary have been made aware of the FOTM demonstration and 
new procedures require them to validate the identity of the individual separate from the FOTM match. 


FR could assist the CBSA in ensuring the integrity of the border by capturing information relating to 
persons who contravene the immigration and Refugee Protection Act (IRPA). For example, FR could 
assist in detecting contraventions of the following sections of the act: 


+ IRPA section 15, which grants the CBSA the authority to examine persons applying to enter Canada 

* IRPA section 16, which requires persons making such applications to respond truthfully to the 
examination 

+ [RPA section 18, which requires every person seeking to enter Canada to appear for an examination 
to determine the person's admissibility to Canada 


Cameras will not be placed in any area where CBSA business is not conducted, or in any area where 
there would be a heightened expectation of privacy, such as public or employee washrooms, lunch 
rooms and locker rooms. Information related to travellers, facility employees (non-CBSA) or other 
members of the public (transport drivers, flight attendants, brokers clearing goods, etc.) is considered to 
be personal information as defined in section 3 of the Privacy Act. For the purposes of this activity and 
this PIA, any CBSA employee information captured in facial photographs that relates to the function or 


the position of the employee is not considered to be personal information, in accordance with 


paragraph 3(i) of the Privacy Act. Any information captured related to an employee that does not 
specifically relate to his/her function or position will be treated as personal information per section 3 of 
the Privacy Act. | 
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The CBSA recognizes that it has broad authorities to stop, question, search, detain and arrest travellers 
and seize goods and information in the border context. It further recognizes that, in order to carry out 
its mandate to ensure the safety and security of the Canadian border, it collects and is entrusted with a 
wide variety of personal information. The CBSA is committed to adhering to all privacy laws and to 
ensuring that not only are individuals appropriately notified of any collection of personal information, 
but that all of the information collected is appropriately protected. 


The use of FR technology is a new activity. Use of this technology will be guided by the CBSA's 
overarching policy on the use, retention, disclosure and disposal of audio and video equipment and 
recordings. Standard Operating Procedures will be drafted to govern the specifics of the FOTM project. 
The CBSA is conducting this PIA to ensure that the privacy risks associated with using, retaining, 
disclosing and disposing of personal information collected in the course of demonstrating FR technology 
are adequately addressed. 


This PIA reflects the CBSA's planned use of FR technology at Pearson International Airport beginning in 
early 2016 for period of six months, during which project personne! will analyze the performance of the 
technology. This will be followed by a three- to six-month lab evaluation phase where the technology's 
performance in relation to the information collected during the demonstration will be further assessed. 
At this time, the CBSA has no plans to deploy FR technology for ongoing operational use, regardless of 
the performance of the technology in this limited demonstration. The testing results may assist future 
senior management decision on further exploration of FR at the CBSA, but at this time, there are no 
definitive plans to implement such technology. 


This PIA has been drafted using the AV Policy as well as the associated Directives, the Privacy Act and the 
Privacy Regulations, and the Immigration and Refugee Protection Act as references. The AV Policy was 
implemented on August 15, 2011 and revised in July 2013. No audio will be collected or used in the 
FOTM project. The Agency recognizes that the use of the AV policy for traveller processing is a new use 
which is not currently included in this Policy. | 


The FOTM project is a project of the Canadian Safety and Security Program (CSSP), managed by Defence 
Research and Development Canada's (DRDC) Centre for Security Science (CSS). The CBSA is the 
government lead for the project. 


PROTECTED B 


The section provides a discussion related to the scope of this PIA and an assessment against the four- 
part test. 


The CBSA recognizes that the four-part test, in part, requires an assessment as to whether the initiative 

will be effective in achieving a specific purpose. However, this initiative is unique in that it is not a Pilot 
Project or a Proof of Concept that is being tested so the tested solution can be modified for future use. 
instead, the purpose of this project is to provide a foundational dataset regarding the effectiveness of 
this technology as a whole. This may be used by the CBSA, or its partners, to inform any future plans to 
deploy FR technology. This careful approach has been taken in recognition of privacy sensitivities 
inherent in a FR-based matching program. 


The four part assessment below must be read with the understanding that it is limited to the scientific 
evaluation of an FR technology demonstration and does not apply to the application of FR technology 
within the CBSA's current traveller processing programs. Any future demonstration or testing of FR will 
result in a PIA that will draw upon the scientific research garnered from this project and be further 
assessed against the four-part test. 


1. isthe measure demonstrably necessary to meet a specific need? 


There are many cases of non-Canadians using false names in attempts to enter Canada illegally. 


A report by the PBS television show "Frontline" explored how terrorists use fake identity documents 
to travel the world. The report focused on Ahmed Ressam, the so-called "Millennium Bomber", who 
first entered Canada i in 1994 usi ii a fake French sad (see 


in 1970, Palestinian Mahmoud Mohammad Issa Mohammod was convicted in a Greek court of 
mansiaughter and other charges related to an attack against an Israeli airliner that he participated 
in. This conviction made him inadmissible to Canada. Yet in 1987, he managed to enter Canada 
under a false name. It took until 2013 for him to be deported (see 
7 anaimodailynews.com/news/palestinian-deported-from-canada-1.17761711). 


A U.S. citizen was a fugitive from American justice when he used a false name to enter Canada in 

2008. He was eventually arrested and sentenced for crimes he committed in Canada before being 

deported back to the United States (see | 
p//www2.canada.com/saskatoonstarphoenix/news/local, 


bf2f-fcebd0188783). 


'story.html?id-07cfdad2-5d05-4e65- 


in 2011, an iranian man in Canada was ordered deported for the second time after being convicted 
of people smuggling. He provided false identity documents to smuggle Iranians to various countries, 
including Canada. He also used false passports to enter Canada in 2008 after being removed in 2007 
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A judgement was rendered in 2013 against a Portuguese citizen who had been previously deported 
from Canada five times. On at least one of those occasions, he tried to enter the country using a 
passport with a false name. In this most recent case, he also used a false passport, although this 
time the name he was using was on a list (see 

tto://visalawcanada.blogspot.ca/2013/12/portugue 


A man who entered Canada as a refugee in 2003 was arrested in 2014 in connection with a 2000 
murder in Texas. Although the man claims he is not the person wanted in the murder case, 
fingerprints and sea adn have cled ONNES] to ! oncle ne is the same A die to 


sites an | average at 16 P. per year were e delecad using ds cé Sule, Edo or ae 
travel documents between April 2011 and March 2014, In other words, these people were using 
documents to claim they were someone else. There is no estimate available for how many people 


used such documents and were not detected. 


ii 


is it likely to be effective in meeting that need? 


The purpose of the FOTM technology demonstration is to assess whether FR technology can be 
effective in detecting attempts by travellers to Canada to subvert name-based lists through false 
identity documents. The CBSA is committed to taking a careful and educated approach to exploring 
ana Maire 'mpiemengng? FR o. ogy; i in b thet CBSA i is sommitted 1 to os a solution is 


reason ve ie Meno tuna 


FR has been used in other jurisdictions for similar purposes with some success. A 2011 report 
explains how Ontario casinos use FR technology to identify self-reported problem gamblers if they 
try to enter a casino. The same report explains how the Canadian Bankers Association has been 
using FR since sis to iid n debit card d aud. s See 


In November 2014, the Calgary Police Service announced it was implementing FR technology to 
dx iie crime- scene e photos to its collection of over 300, p00 mugs shots. It is the first oda ice service in 


ss logy olen dum +; | E À 
technology n 6154200. ii i). 
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Law enforcement agencies in the U.S. have used FR to match images extracted from CCTV footage at 
crime scenes wi ith photo databases pln based on drivers licence photos) to identify criminals 


software. HA) (Sau pen “LIN 
TN facial sonora scanners s (Brussels, B Belgium), and 


is the loss of privacy proportional to the need? 


The FOTM demonstration is being deployed only for testing purposes for a limited time (six 
months). It targets only those persons who are already under an active removal order and who have 
previously demonstrated intent to return to Canada, despite having been previously deported 
muitiple times. 


The FR demonstration will take place only in CBSA-controlled areas of Terminal 3 at Pearson 
international Airport for a limited time, estimated at six months. After the demonstration, the 
technology will be removed from the airport for an additional three to six months of evaluation in a 
lab setting Personal information already collected at POEs includes a traveller's name; citizenship(s); 
country and place of residence; and sex. Travellers must also provide a piece of approved 
identification, such as a passport or enhanced driver's license. Persons seeking entry to Canada 
may also be required to provide the following information: address, or address of destination in 
Canada; date of birth (age); marital status; employment status; criminal history; fingerprints; and, 
information related to accompanying goods entering Canada, including purchases made abroad. FR 


technology, in addition to the elements mentioned, also captures the physical image of the traveller, 


which can assist in identifying individuals seeking entry into Canada who are using false identity 
documents. In all cases, the CBSA only collects the minimum amount of personal information 
required to make an admissibility decision. 


The loss of privacy is minimal given the lower expectation of privacy in a border crossing context. 
This was noted in the PIA report on the Overt Use of Video Monitoring and Recording Technology 
submitted to the OPC in November 2013. The FOTM demonstration project represents only a 
nominal increase in the loss of privacy insofar as no different information is being collected above 
and beyond the CBSA's current use of CCTV technology. The main difference between CCTV and FR 
is in the technology being used to process the information. This nominal increase in privacy loss will 
affect mainly those travellers who try to subvert the admissibility determination process. 


The CBSA fulfills its mandate through the administration or enforcement of over 90 Acts and 


Regulations. As a result the Agency is responsible for numerous and complex programs and 
operating activities, including deciding on traveller admissibility to Canada. in calendar year 2013, 
the CBSA provided border-related services for 99.7 million travellers arriving at our land, air, rail and 
marine ports of entry. There is a significant need to find ways to augment the admissibility 
determination process with automation that can improve efficiency and effectiveness without 
sacrificing privacy. The CBSA is testing FR technology to determine whether it can meet this need. 
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P 4. \s there a less privacy-invasive way of achieving the same end? 


The goal of this project is to demonstrate the effectiveness of FR technology in an airport setting.FR 
is less invasive than other forms of biometric identification, such as fingerprints or retina scans. 
There is no need to touch or come into close proximity with a biometric scanning device; cameras 
can be mounted on walls, ceilings, and other architectural features and capture facial images 
without inconveniencing the traveller. 


in terms of the goal of identifying travellers using false identity documents, the only other way to do 
FR at this time in a way that would be less privacy-invasive would be to have CBSA officers visually 
examine every arriving traveller and compare their faces with the PDD. Given that the 
demonstration PDD will contain thousands of photographs, it could take hours to process each 
traveller through manual FR. This is obviously a totally impractical approach to traveller 
identification. 


Lastly, the CBSA is always balancing methods of enhancing security while expediting travel and 
commerce; a balance that is often difficult. if the FR technology proves successful, it may also serve 
a dual purpose: first, to better identify individuals who are attempting to illegall 


egally re-enter Canada; 
and two, by improving the effectiveness of and efficiency of identifying these individuals, reduce 


wait times at the Primary Inspection Lane (PIL). 


usu 


| Program or activity that does NOT involve a decision about an identifiable individual 


Administration of Programs / Activity and Services 


Criminal investigation and enforcement / National Security 
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| SECTION 4 - RISK AREA IDENTIFICATION AND CATEGORIZATION 


For Section 3, please check the appropriate box that describes the level of risk related to your program 
or activity and provide details as indicated in yellow. 


ogram or Activity 


Personal information is used strictly for statistical / research or evaluations including mailing list 
where no decisions are made that directly have an impact on an identifiabie individual. 

The Directive on PIA applies to administrative use of personal information. The Policy on Privacy 
Protection requires that government institutions establish an institutional Privacy Protocol for 
addressing non-administrative uses of personal information. 


Personal information is used to make decisions that directly affect the individual (Le. determining 
eligibility for programs including authentication for accessing programs/services, administering 
program payments, overpayments, or support to clients, issuing or denial of permits/licenses, 
processing appeals, etc...). 


Compliance / Regulatory investigations and enforcement 3 


Personal information is used for purposes of detecting fraud or investigating possible abuses within 
programs where the consequences are administrative in nature (Le. a fine, discontinuation of 
benefits, audit of personal income tax file or deportation in cases where national security and/or 
criminal enforcement is not an issue). 


Personal information is used for investigations and enforcement in a criminal context (Le. decisions 
may lead to crimina! charges/sanctions or deportation for reasons of national security or criminal 
enforcement). 
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p | Only personal information, with no contextual sensitivities, col llected directly from the 
| individual or provided with the consent of the individual for disclosure under an 
authorized program. 


Personal information, with no contextual sensitivities after the time of collection, 
provided by the individual with consent to also use personal information held by 
another source. 


| Social Insurance Number, medical, financial or other sensitive personal information 

- and/or the context surrounding the personal information is sensitive. Personal 

| information of minors or incompetent individuals or involving a representative acting 
_ on behalf of the individual. 


Sensitive personal information, including detailed profiles, allegations or suspicions, 
bodily samples and/or the context surrounding the personal information is 


larly sensitive. 
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Mo 


Within the institution tone one or more programs within the same institution) 


With other federal institutions 
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Faces on the Move: Multi-camera Screening 


One time program or activity 
Typically involves offering a one-time support measure in the form of a grant payment as a social - 
support mechani ism. 


Short-term program 


Long-term program 
Existing program that has been modified or is established with no clear” “sunset”. 


ogy | in the short-term context 


A program or an activity that supports a short-term goal with an established “sunset” date. 
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Edi Does the new or modif ed program or acti tivity involve he pedent on -— a new 


PROTECTED 
Faces on the Move: Multi-camera Screening - : PIA 


ER 


| video, o or PDD nf | 


electronic system, software or application program including collaborative software 
(or groupware) that is implemented to support the program or activity in terms of the 
creation, collection or handling of personal information? 


6.2. Does the new or modified program or activity require any modifications to IT legacy 
systems and a or services? 


6.3 Does the new or modified program or activity involve the imp 
more of the foi lowing technologies: 


6.3.1 Enhanced: identification methods: 
This includes biometrie technology (Le. facial recognition, gait analysis, iris scan, 
fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as 
easy pass technology, new identification cards including magnetic stripe cards, "smart 
usd Ls ie. identi Reston cards thate are ee sans with either an antenna ora contact 


with r non- estime: atopic), 


The CBSA will use FOTM in anproaches to the arrivals hall, approaches to PIL booths, 
quss PIL interviews, and approaches to immigration point to identify persons of 
interest to the CBSA through matching facial i mages with PDD images. 


This includes surveillance technologies such as audio/video recording devices, thermal 
imaging, recognition devices, RFID, surreptitious surveillance / interception, computer 
aided monitoring including audit trails, satellite surveillance etc. 


Please specify: 


| | FOTM will use cameras to overtly photograph travellers’ faces and to record « scene 
_ video of the travellers’ overall appearances (e. B^ clothing, luggage, companions). 


6. 3.2 Use of Surveillance: — DS YES 


rthe 
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6,3.3 Use of automated personal information analysis, personal information matchin 
and knowledge discovery techniques: 


For the purposes of the Directive on PIA, government institutions are to identify those 
activities that involve the use of automated technology to analyze, create, compare, cull, 
identify or extract personal information elements. Such activities would include personal 
information matching, record linkage, personal information mining, personal information 
comparison, knowledge discovery, information filtering or analysis. Such activities involve 
some form of artificial intelligence and/or machine learning to uncover knowledge 
(intelligence), trends/patterns or to predict behaviour. 

Please specify: 


| The CBSA will use FOTM to compare images of: arriving travellers’ faces with facial 

_ photographs of persons of interest on a PDD. The technology will identify potential 
| matches and notify CBSA officers, who will manually review and adjudicate the 

| potential matches. Real-time matches that are verified by human review will be 

_ forwarded to roving CBSA officers for further action. 


A YES response to any of the above indicates the potential for privacy concerns and risks that will 
need to be considered and if necessary mitigated. 


6.1 implementation of new cameras, FR servers, and wireless communications. 
Privacy Risk: 


The CBSA will implement cameras that have the capability to take facial photographs of any and all 
individuals found in CBSA-controlled and -monitored areas accessible to the travelling public. Facial 
images of immediately verified persons of interest will be transmitted wirelessly within the CBSA- 
controlled and CBSA-monitored areas to notify roving CBSA officers of the presence of a person of 
BSA will also implement video cameras to take scene video of the same areas. The 


interest. The Ct 
system will attach a short video clip (approximately 5 seconds) to each match record to provide 


context of the traveller within the airport. 


Mitigation: 


Facial photographs and scene video taken by the on-site cameras and information contained in the 
PDD will be accessible only to properly authorized and trained CBSA personnel. This information will 
be used only to identify persons of interest who have already been determined to be inadmissible to 
Canada and to perform post-demonstration tests and analysis on the FR technology in a CBSA lab 
setting. The facial photographs and scene video taken on-site will have no identifying information 
associated with them other than a date/time stamp. The PDD will contain only photographs, names, 
birthdates, and safety warnings. information about potential matches will be retained for the 
duration of the project to generate metrics about the performance of the technology. 


Live-captured facial photographs and scene video for matched travellers will be retained for the 

b Hd of the project. Unused scene video {i.e., video that is not linked to any matched travellers) 
jill be retained for 30 days from the time of creation. PDD information will be retained for the 

du ration of the project. 
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" 2. 2 Use of surveillance 

bipes Risk: 

d Although à there isa reduced PA Pa ef privacy at an a travellers may perceive a Fick that 
unauthorized personnel could access the images taken by FOTM. 

Mitigation: 

The CBSA will ensure that any disclosure of facial photographs, scene video, or PDD information is 
made in accordance with the relevant policies and legislation. in addition, the CBSA will take steps to 
ensure that recordings are not di isclosed by third parties without the consent of the CBSA, After the 
je six- month demonstratione at Terminal 3of Pearson Intemational Se des g esystem v will be: re- 


to o improve MOM leat rene nce. 
The CBSA’s AV Policy states: 
e All disclosure of audio-video or photographic records must be made in accordance with the 
provisions of the Customs Act, the Access to information Act, the Privacy Act and/or CBSA 
| disclosure policy. 
_In addition, the CBSA's Directives on the Overt Use of Audio-Video Monitoring and Recording 
Technology state that: 
e Any access to or disclosure of audio-video or photographic recordings must be noted in an audio- 
video monitoring log. The log entry must include the date and time when the data was accessed, 
m, which segment of the data was viewed, by whom and for what reason. Persons who access 
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m recordings must i identify themselves by name and badge number if applicable. 
| is disclosed, the authority for that disclosure must also be noted in the log. 


When a recording 


When audio-video or photographic recordings are copied or extracted in order to be closed: 
within the CBSA or to other organizations, the CD, DVD or storage device must be stored in locked 
storage according to the security classification of the information contained in the audio-video 
recording. Facial photographs and related information are to be categorized as Protected B. 

+ Audio-video or photographic recordings, including records to be disclosed to organizations, may 
only be disclosed as authorized by the Privacy Act, s. 8, Customs Act, s. 107, and CBSA disclosure 
policy. 

+ Only the segment of the audio-video recording or the photograph or PDD information related to 
the request will be provided. Any unrelated data will be blacked-out, blurred, or obscured by a 
technique certified as tamper-proof by a credible certification body. 


mation analysis, personal ir fo 


The eret informatión | iS sed within a — syster, 


No connections to Internet, Intranet or any other system. Circulation of hardcopy documentais 
controlled. 


The personal information is used in system that has connections to at least one other 2 
system. 
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Manageria al harm. 


Processes must be revi iewed, tools must be changed, change in provider / partner. 


AS 


Organizational harm. 


Changes to the organizational structure, changes to the organizations decision-making structure, 
changes to the distribution of responsibilities and accountabilities, changes to the program activity 
architecture, departure of emp! oyees, reallocation of HR resources. 


Financial harm. 


Las wsuit, addit ional moneys required real location of financial resources. 


Reputation harm, embarrassment, loss of credibility. [ ]4 


Decreased confidence by the public, elected officials under the spotlight, institution strategic 
outcome compromised, government priority compromised, impact on the Government of Canada 
Outcome : areas. 


ontrols to safeguard t 


A: 


inconvenience, 


Financial harm. 


Physical harm. 
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Personal Information Elements and Sub-elements 
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Note: Identification of sub-elements is necessary where sensitive personal information is being collected ar where the type of program or activity presents a potential privacy 


| Gender, physical 
; attributes 


Personal 
Information - 
Element 


Physical image 
of traveler 


when photo or 
scene video is 
| captured. 


Personal Information Sub- 
Element 


includes a person's race, ethnic 
origin, or colour 

can include information related to 
a person's employment (e.g., 
from employment-related 
headwear or clothing) 


can include information related to 
a person's religious affiliation 
{eg from clothing ar 
accessories) 


| Recording, 
| stored as digital 


| To ensure the integrity of the immigration 


| program. 


| Gender, physical 

| attributes, name, 

| date of birth, safety 
| warnings 


| Physical image of 

| person and 

| associated details 

: when information is 
collected from 

| existing sources for 
| PDD. 
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origin, or colour 

Name (and passibly known 
aliases) 

Date of birth 


Safety warnings (such as flight risk, 
risk of violence, etc) 


| Electronic 

| database 

| entries, 
including digital 
| images 


| To assist in making admissibility decisions 
| regarding the entry of persons to Canada. 


: identify persons inadmissible to Canada. 

| To assist in making admissibility decisions 
| regarding the entry of persons to Canada. 
| To ensure the integrity of the immigration 
| program. 


| To identify persons known to be 
inadmissible. 
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| Biometric | Biometric |o ER algorithm : Electronic | To match against live-capture photos to 
| information | _ Information : ; database _ identify persons inadmissible to Canada. 
: | entries, | To assist in making admissibility decisions 


| including digital | regarding the entry of persons to Canada. 
| images 


To ensure the integrity of the immigration 
| pragram. 


Em 
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Identify the flow of the personal information within and outside the institution's program or activity. 
Institutions may choose to outline the flow of personal information in the format of their choice. 


FR information Flow Model - Diagrams 
The flow of personal information within the FOTM system is depicted using data flow diagrams (DFDs) 
on the following pages. There are four types of symbols used in these diagrams: 


+  Sharp-cornered rectangle: represents an external entity that provides information to the system 


or receives information from it | 

*  Round-cornered rectangle: represents a process where information inputs are transformed into 
information outputs 

+ Open-ended rectangle: represents a repository where information is stored 
Arrow: represents a flow of information 


* 


tach shape is labelled to describe its purpose or content. 


The DFDs are presented as a hierarchical model of the system. The first diagram is a high-level overview 
of the system, showing the system as a single process exchanging information with various external 
entities. The next diagram decomposes that single process into five sub-processes. The following 
diagrams decompose four of those sub-processes to a greater level of detail. The fifth sub-process is 
straightforward and requires no further decomposition. 
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Figure 2: High-level Data Flow Diagram — Faces on the Move 

The Traveller entity in 

Figure 2 represents all travellers who pass through the international area of Terminal 3 of Pearson 
international Airport during the course of the FOTM demonstration. Travellers’ faces and actions will be 
recorded as part of the main task of demonstrating FR. Travellers (or their representatives) may also file 
access to information requests or privacy complaints regarding the information collected from them. 


The Actor entity represents CBSA employees who volunteer to participate in the FOTM demonstration 
to help researchers calibrate the FR technology. We cannot be certain that any travellers on the POD will 
pass through the airport during the time of the demonstration. Actors are required to help demonstrate 
the readiness level of the technology by walking through the airport at known times. Actors' faces and 
actions will be recorded, just like those of travellers. In addition, actors will be enrolled into the PDD 


through a posed facial photograph (the "reference face" data flow). Finally, actors will provide 
information about each walkthrough (time and actor identity). The FR system will include actual 
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The PDD Sources entity represents all entities (external to FOTM) that provide the source data for 
constructing the operational PDD (i.e., the entries that do not come from actors). This is expected to 
include GTAR's existing database of Previously Deported Persons. All personal information will be 
handled in accordance with existing procedures and requirements. 


performance of the FR technology, which will include individuals from the CBSA, Face4 Systems, and 
ETS; however, ETS will not have access to any personal information (performance metrics only). 


The External CBSA Systems / Storage entity represents a CD, USB or similar device that would receive 
information related to travellers who have been directly affected by the FOTM demonstration. if the 
system and the primary adjudicator match a traveller to an entry on the operational PDD, CBSA will 
attempt to locate that traveller within the CBSA-controlled areas of Terminal 3 of Pearson International 
Airport and interact with him or her in accordance with existing procedures. According to current CBSA 
policies, the information that led to this interaction with the traveller must be kept for two years. The 
FOTM demonstration is only in operation for a short time, so information that led to action with respect 
to a matched traveller will be exported to other CBSA systems to be retained for the required period. 


information validated independently by the Immigration Secondary BSOs may be stored in existing CBSA 
systems, but not until an independent identity validation task has been completed. 


The ATIP entity represents that branch of the CBSA (Access to Information and Privacy) that will extract 
ATIP and the traveller is outside the scope of FOTM and is not directly represented in this model: 
below decomposes the high-level process into five numbered sub-processes. 
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Figure 3: Data Flow Diagram ~ Demonstrate Facial Recognition 


The five sub-processes are as follows: 
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gx 1. Manage PDD ~ extract PDD data from external systems and actors and create PDD entries; 
| present PDD records to other processes as needed 
2. Recognize Faces — record the faces and actions of travellers and actors and identify those that 
match entries in the PDD; determine which matches are control (actor) matches and which are 
operational (traveller) matches; extract relevant video footage for operational matches 
Process Matches — humans adjudicate each system-identified match either in real time or after 
the fact; act on adjudicated real-time operational matches; export match data to external 
systems when a matched traveller is affected 
4. Process Requests & Complaints -find relevant records within the system for any traveller that 
submits a request or complaint about the personal information collected from him/her 
5. Analyze Performance ~ evaluate how well the system identified actors; re-run the original 
photos while adjusting performance parameters to improve the detection rate while minimizing 
the false acceptance and false rejection rates 


iA) 


Figure 4 below expands the PDD process. 
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Figure 4: Data Flow Diagram - Manage Previous Deportation Database (PDD) 


PDD data will be extracted from an existing CBSA regional database which stores information and 
Paes on Rsevieusy Deporte P Persons process 1.2). The size of the PDD will be limited to 


ME 
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xiu. approximately 5,000 records for the FOTM demonstration. The primary criterion for selecting records is 
that a person has been deported two or more times in the past three years; however, the project will 
not include any individual who meets this criterion if the photograph of the individual is not of sufficient 
quality to support the FR technology. 


Each entry in the PDD will contain a photo of the person of interest (taken by CBSA before a prior 
deportation), the person's name, date of birth, a FOSS ID number (which links the entry to a record in 
the Field Operations Support System (FOSS)*), and any warnings associated with the person (such as 
safety warnings, threat warnings, health warnings, etc.). 


PDD data will be extracted to allow the CBSA to carry out its mandate to detect and identify persons 
who have a record of failing to comply with the immigration and Refugee Protection Act. 


Control PDD data, including photos, will be collected directly from actors (CBSA employees who 
volunteer; process 1.1). The control PDD will contain information about known individuals who will, over 
the course of the demonstration, walk past the cameras to test the performance of the FR technology. 
These control PDD entries will be similar in structure to operational PDD entries, but with an extra note 
that they are control entries. The control photos will be of real individuals, but the biographical 
information will be test data. 


AIL PDD entries (operational and control) will be securely stored as per CBSA policies on the storage of 
protected information (refer to Appendix: Comptrollership Manual - Security Volume — Chapter 6: 
Storage of Sensitive Information and Assets). The data store for PDD entries will be dedicated to the 
oo FOTM demonstration. This data store will not be connected to any other CBSA systems or programs. it is 
expected that the PDD entries will be in the form of relational database records, including the photo 
images. 
The system will include a capability to allow PDD entries to be manually updated or deleted (process 
1.3). New PDD entries may be added during the six months of the demonstration on an ad hoc basis. 
These ad hoc additions will use the same procedures as the initial entries and would include any new 
Previously Deported Person who meets the initial selection criteria or new actors 


Figure 5 on the next page expands the Recognize Faces process. 
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Figure 5: Data Flow Diagram - Recognize Faces 


Travellers and actors will walk through the CBSA-controlled areas of Terminal 3, Pearson Internationa! 
Airport, such as the arrivals hall, the approaches to the PIL booths, the PIL booths themselves, and the 
approach to the immigration point. Actors will inform the system when they have performed a 
walkthrough (process 2.3). This will likely be by swiping an identification card at a special-purpose card 
reader. The date and time of the walkthrough and an identifier of the actor will be recorded as 
walkthrough data. This information is required to analyze performance and accuracy of the FR 
technology. This information will be stored as per CBSA policies on the storage of protected information 
when they are not in use. (Refer to Appendix: Comptrollership Manual — Security Volume — Chapter 6: 


Dedicated project-cameras mounted at selected locations in the CBSA-controlled area of Terminal 3 at 
Pearson International Airport will record the faces of people walking through those areas (process 2.1). 
Dedicated project video cameras referred to as scene cameras will also record video of the travellers 
and actors (process 2.2). All facial photographs and scene video recordings will be securely stored as per 
CBSA policies on the storage of protected information when they are not in use. (Refer to Appendix: 


Access to and control of any photography equipment is limited to qualified operators who are 
authorized to do so by the manager responsible for Terminal 3 of Pearson International Airport. 
Authorization is provided in writing and specifies the purposes for which access and or control is given. 


As facial photographs of arriving passengers and of actors are captured, they are compared to the 
entries in the PDD (process 2.4). 


If the FR system identifies a potential match between a live-captured photo and a PDD entry, the FR 
system will compare the match with the walkthrough data to determine whether the match is a test 
subject from the control group of actors (walkthrough; process 2.5). All potential matches that are not 
walkthroughs will be deemed operational. The FR system will attach to each preliminary operational 
match a video clip taken at the same approximate time and location as the matched face photo (process 
2.5). This is to provide additional context for the match, such as the traveller's clothing, location, and 
companions. 


Ail facial photographs will be retained until the end of the FOTM project. This is so that the stream of 
face photos can be re-run in a lab setting to assess and analyze the performance of the technology. All 
facial photographs will be securely stored as per CBSA policies on the storage of protected information 
when they are not in use. (Refer to Appendix: Comptrollership Manual — Security Volume — Chapter 6: 
Storage of Sensitive Information and Assets). Unused scene video recordings will be deleted 30 days 


after creation, in accordance with the CBSA's current policies for video recordings. Video clips that end 
up being used to support administrative action against a traveller will be retained for two years from the 
date of last administrative use, in accordance with the CBSA's current policies for video recordings. 


(Refer to the Policy on the Overt Use of Audio-Video Monitoring and Recording Technology.) 
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All matches, operational and control, will be stored in the FOTM system and displayed on a monitor in 
the Surveillance Centre. Hish- probabit E matches will be displayed immediately. Low-probability 
matches will be reviewed in bulk at a later time. A CBSA adiudicator (or, in the case of a low-probability 
match, a project scientist or technician) will review each potential match on the monitor and decide 
whether the match is valid (process 3.1). 


The adjudicator records the adjudication decision (true or false match) in the match record in dedicated 
applisition a ae on rædedicated workstation; and stored on icd FR server. . The E record will 
operational ands wi i inks a ia ted vien Na to ins Vim ne deca The ane sr wi illa also 
contain the adjudicator's decision to accept or reject the match. 


if the match is accepted by the adjudicator and is real-time and operational (Le. a traveller, not an 
actor}, the FR system will send a notification over a wireless communication channel to one or more 
handheld devices carried by roving CBSA officers in the terminal. The adjudicator will also radio a 
superintendent to advise the superintendent that a match has been found and to describe verbally the 
physical appearance of the person, based on the scene video recording. The roving officer will use a 
PR project- "specific application on the handheld device to access the match record. This allows the roving 
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P officer to view photos, video, and information about the matched individual. The roving officer uses this 
| information to search for and intercept the matched individual (process 3.2). If the match is rejected by 
the adjudicator or is a control match (i.e., an actor, not a traveller), the system takes no further action. 


If the roving CBSA officer finds the matched individual, the officer will interact with the individual 


following standard CBSA protocols and procedures. 


outcome of the officer's interaction with the matched individual or with the officer's failure to locate the 
matched individual. Outcomes may include: released, detained, referred to secondary, failed to 
intercept. 


When an operational match results in action being taken with respect to a traveller, such as a referral to 
secondary examination, the match record, including all PDD information, live-capture photos, and scene 
video, will be exported to secondary storage (CD, USB or similar) in accordance with CBSA policies which 
require that any interaction with a traveller (i.e. referring the individual for secondary examination 
based on the FR solution) must be kept for two years. The storage device will be kept on the individual's 
file, so that a permanent record of the information that led to the action can be preserved; however, 
evidence supporting deportation will be limited to the identity validation efforts of the secondary 
immigration BSO. If deportation is the result of the secondary examination, then non-FOTM data, 
including video from existing Terminal 3 cameras, will be used to support the deportation proceeding. 
Only in rare and extraordinary cases does CBSA envision FOTM data being a supporting piece of 
information in a deportation proceeding. 


Figure 7 below expands the Process Requests & Complaints process. 
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Figure 7: Data Flow Diagram - Process Requests & Complaints 


If a traveller makes a formal access-to-information request or files a complaint with respect to the 
information gathered by the FOTM system within 30 ders of the creation of a live-capture photo of the 
traveller (process 4.1), designated CBSA personnel will identify and retrieve from the system copies of 
records relevant to that traveller (process 4.2). bere could include PDD entries, face photos, video 
recordings, and match records. The relevant records will be copied to another storage medium such as a 
USB key or DVD and will be retained (process 4.3) for a minimum of two years in accordance with 
subsection 4(1) of the Privacy Regulations. All photo ane PDD D data and bud di will be retained in 
accordance with the relevant CBSA security policy (Comptro p hip Manual - Security Volume — Chapter 


6: Storage of Sensitive Information and Assets). CBSA's ATI IP division will handle the request or 


complaint from then on in accordance with its normal sales à ind practices, ATIP's process is beyond 
the scope of this system. 


All live-capture photos (whether matched or not}, operational and control PDD entries, match records 
(whether accepted or rejected by an adjudicator), and actor walkthrough records will be retai ined in 
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lab setting. as perse pa ee are a aise to ; determine the ontimal settihgs sforn minimizing false 
acceptance rates and false rejection rates. The match records, particularly for control subjects (actors), 
will be analyzed to assess the accuracy and effectiveness of the technology. This data will not be 

di isclosed outside the CBSA (although statistics and experimental findings on the technology's readiness 
will be summarized in a final report). This use of photos, the PDD, the match records, and the 
nidis records is a non-administrative use. A non-administrative-use security protocol has been 
developed to address proper handling of this information. 


All data within the system will be deleted or disposed of after the FOTM project ends. a of rail 
data will de dias in S Wes the en y found i in the CBSA A Comptrollership Manual — 


uv BASÉE ESP 


The photos and related data will be deleted or disposed of two years from the date that the last 
administrative action is taken with respect to it. Disposal of all data will be done in accordance with the 
policy found in the CBSA Comp Manual — Security Volume, Chapter 8: Disposal of Sensitive 
information and Assets. 


ts). 


Example of a Data Flow Model - Table 


Source of the personal information for the program or activity 
From whom or from what organization is the personal information collected? In other words, identify 
who is providing the personal information that is being used, will be used or available for use for the 
program or activity. There may be more than one source, indicate ail sources: 
E À federal government institution (identify tiom what Fe Overt Audio-Video Surveillance (CBSA PPU 1104) 
_ PIB the information is obtained) CBSA Removals Program (CBSA PPU 1301) 
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Internal Use and Disclosure 


Where will that information eiéalaté within the federal government institution? This must identify any 
related programs or activities and personal information banks as identified in the institution's Info 
Source chapter. 


n: Personal intor on bank 


SELL ED ee ROE od ARR TL ER RER —————————Y—————————————ÓÓÓÓÓ— CEE EEE HE 


The individual or a 
| representative 


Where will that information circulate outside of the federal government institution? This includes any 
disclosure made to: 


. A federal government 


| An individual or his/her representative may make an ATIP request with - 
: respect to his/her information. 


| Records may be disclosed within CBSA for the purpose of enforcing 


- institution | federal | legislation. 


- Provincia d Bern Er pm 


- A Aboriginal Government} | N/A 
Council : 


State 


- international | N/A 
Organization | 


pee will be disclosed to Face4 Systems, a piivate-sector | 
| organization that will assist the CBSA in analyzing and evaluating the FR 

technology during the project. Face4 will work with CBSA ISTB 

_ personnel to re-run the live-capture photos against the PDD and 


« Located in Canada add 
Canadian Owned 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act 


ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


CBSA - Released under the Access to Information Act. 
rtu de I l'Accès à l'ini 


ASFC - Divulgation en vertu de la loi sur l'Accès à l 


For Internal Use Only ~ Distribution Limited to Project Personnel 


and false rejections. They will modify system parameters that govern 

: the matching processes to attempt to lower the false acceptance and 

. false rejection rates as much as possible. Such disclosures will be made 
: oniy for the purpose of assessing the performance of the technology. 

| Such disclosures will only be made in accordance with the relevant 
-legislative provisions and within the bounds of a clearly articulated 

| contract. 


. Note: ETS will not have access to personal information but will have — — 
| access to derived information (scores of matches). They have no access - 
to any of the match data, FOSS ID, photos, etc. - 


- Located in Canada and N/A 
Foreign Owned : 


Retention / Storage 


Where will the information be stored or retained (identify all organizations that will store the 
information — this includes duplicates of the databases containing the personal information or any back- 
ups}: 


| À federal government institution — Records will be stored at the location where they are made. The records 
| within the CBSA . will be housed on secure servers and in secure storage with access controls. 
: : When the live demonstration phase of the project is complete, all 
. computing equipment, including storage devices and the records stored on 
| them, will be moved to the CBSA's Science and Technology lab in Ottawa. 
. The records will continue to be housed on the secure servers and in secure 
storage with access controls. 
in all cases where storage devices are used, they will be required to meet 
baseline physical security requirements based on the level of sensitivity of 
information gathered as per CBSA Security Volumes, depending on the 
recording medium. 
in cases where FOTM results in action being taken with respect to a 
. matched traveller, relevant records will be exported to alternate systems or 
Storage within CBSA. All such storage will comply with all security and 
. privacy requirements. | 
Records will not be disclosed to other federal government institutions. 
| All personal information collected and held by the CBSA during this project 
will be deleted or disposed of at the end of the project in accordance with 
CBSA policies and procedures. 
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E Provinci: al Government TS 


- Aboriginal Govern ment/ | N/A 
Council 


State 
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- International N/A 
Organi izatio : 


T 3. Located canada sud C N/A 
- Canadian Owned | 


Owned 


- Located abroad add | N/A 
Canadian Qwned 


- Located abroad and N/A 
Foreign Owned 


Other Possible Considerations 


identify the areas, groups and individuals who access and handle the personal information: 


Identify the areas / groups / divisions who are allowed to access and handle the personal information 
collected for the program or activity. Also, identify where these areas or groups are located (i.e. national 
capital region, within a province, in a foreign country, or several locations if teleworking) as well as the 
location of the personal information to uncover any potential trans-border or inter-jurisdictional issues. 
When reasonable to do so, by virtue of the size of the organization or the number of individuals, identify 
individual positions rather than the work area or group. 


Federal govern ent institution responsi ible for program or activity: Canada Border Services Agency 


: Chiefs, neris sors ind select The CBSA will deploy this system at the interna ifiahal 

_ Border Service Officers have arrivals hall and related areas at Pearson International 
- access as part of their official | Airport, Terminal 3. 

duties. : 


Inland . Chiefs, Supervisors and The CBSA will deploy this system at the international 
Enforcement | Investigation Officers have arrivals hall and related areas at Pearson International 
Division a access as part of their official _ Airport, Terminal 3. 
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| Science and _ Research scientists . The CBSA will move the system and all its data to the 
: Technology | | Science and Technology Lab in Ottawa for post- 
| | : . demonstration Mage 


i ate Sector: Face4 Systems: (one table per instituti ition) 


| Face4 . Technicians, teci hnologists, Face4 Systems will manage the system remotely 

- Systems system analysts, | from the CBSA Science and Technology Lab in 

: . developers |. Ottawa. They will also conduct post-demonstration 

- analysis of the system and the data it collected, also 
_at the CBSA's Ottawa lab. 
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| 2.1 [X] Ensure that all personal information necessary to administer the program or activity is listed 
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L Has a legal authority been identified for the collection of personal information for this program or 
activity? 


BRR RSE 


cutharilys must He biche x ori a mei "t nee pecan buts section 4 does not prani 
legal authority for such a collection}. 
Policy reference: Section 6.2.6 of Directive on Privacy Practices 


Yes 


| 1.1 [X) Please specify the legal authority and briefly explain its connection to the program or activity 


or how i it permits the collection of the personal information: 


Immigration and Refugee Protection Act, paragraphs 15(1), 16(1), 16(1. 1j 1504, 
16(2)(a), 16(2)(b), 16(2.1), 16(3), 18(1), and 18(2) | 

if legal authority is unclear consult your Legal Service to determine authority for the program or activity. 
The CBSA's demonstration of FR is directly related to the cited paragraphs of the 
IRPA, which require all persons seeking entry to Canada to submit to an examination 
of their persons and documents. These paragraphs also allow for the presentation of 
photographic evidence of an applicant's identity. 


immigration and Refugee Protection Regulations, paragraphs 28, 28(a), 28(b), 28(c), 
and 28(d) 

The cited regulations clarify that any person seeking to enter Canada is making an 
application under the terms of paragraphs 15 and 16 of the /RPA. 


— Continue to Question 2 


| No 

1.3 |. ] If there is no legal authority for the collection of personal information, it cannot be collected. 
: Please consult your institution's legal advisors to determine if there is authority to proceed 
with the program or activity. 


: is each element and sub-element of personal information collected or to be collected necessary to 
administer the program or activity? 


Statutory reference: Section 4 of Privacy Act 
Policy reference: Sections 6.1.1, 6.1.3, 6.1.4, 6.2.7 and 6.2.8 of Directive on Privacy Practices 
YES 


in the relevant PIB. 
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| 2.2 Tx] AND, implement controls and procedures to ensure the institution does not collect more 


personal information than is necessary for the identified program or activity and that a 
NC: need exists for that information or its collection. 


“Section 3 3 — Anasi anh Personal ee Elements" t to identi ify on thata are "necessary" 


and not merely. useful. Document tany n 


Is the collection of the Social Insurance Number (SIN) necessary to administer the program or 
activity? 


iex d reference: Section 4 of Privacy Act Act 


: "- ease aded: a i quare boss below 
| 3.2 Li State legal authority for coll lecting the SIN 


to ACH federal institution that is authorized to collect it, or to another level of 


government, establish an agreement or arrangement that includes specific provisions to 
limit the use of the SIN 


uir ic provisions to » limit the use of the: SIN. 
E 5| | AND, ensure that the relevant PIB for the program or activity states the authority under 
| which the SIN is collected and the purpose for which it is used. 
— Continue to Question 4 
NO 
3.6 DX] The SIN is not necessary and it will not be collected, used or disclosed to administer the 
3 program or activity. 


— Continue to Question 4 
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| Is personal information collected directly from the individual to whom it relates? 
Statutory reference: Sections 4 and 5 of Privacy Act 


Policy reference: Sections 6.1.1, 6.2.6 and 6.2.8 to 6.2 
56.1.2 and 6.4.1 of Directive on Social Dp Number 


p t DX | A"Privacy Notice" (adapted for either verbal or written communications) must be provided 

to the individual at the time of collection and it must notify the individual of any of the 
following elements that apply (please check all appropriate boxes): 

x a) The purpose and authority for the collection 


Dx] J b) Any uses or disclosures that are consistent with the original purpose. 


g ius uses or disclosures that are not related to the Sone a! p pepe 


| | f! Areference to the PIB for the program or activity 


EM g) Why the SIN is collected, how it will be used and the consequence of not providing it 
AND, add a "Consent Statement" to the "Privacy Notice" as appropriate, if the personal 
information is to be used or disclosed for a purpose other than the original purpose or a 
consistent use, or, to authorize indirect collection of personal information. 
4.2 NE The "Consent Statement" must include, as applicable, the following elements (please check 
all appropriate boxes): 
a) The purpose of the consent and the specific personal information involved. 
[ ] b) In the case of indirect collections, the sources that will be asked to provide the 
information. 
[| | c) Uses and disclosures that are not consistent with the original purpose of the 
collection and for which consent is being sought. 
L d) Any consequences that may result from withholding consent. 
e) Any alternatives to providing consent 


43 (| AND, implement controls and procedures to ensure that the institution keeps a record 

- documenting whether or not an individual provided consent when it was sought, including a 
record documenting any withdrawal of consent when applicable. 
— Continue to Question 5 


4. 4 [] The personal information necessary for the program or activity is not collected directly from 
the individual. It is collected indirectly, for example, from another program within the 
PUIS, or from another institution, government or third party. 
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n Is personal information collected indirectly from another source with the informed consent of the 
- individual to whom it relates, or from a person authorized to act on behalf of the individual 
: FREE to section 10 E the — Regulations? 


6.12 iid 64.1 ioi the fikecthere on Social inu bar 

YES 

5.1 [| The notice and consent requirements stated at Question 4 apply. Please review the required 

: elements listed under "YES" at Question 4 and check the corresponding boxes below to 
indicate the elements that need to be included in the "Privacy Notice" or the "Consent 
Statement. {check all that apply): 


5.2 a AND, een controls and procedures to ensure the institution keeps a record 


documenting whether or not an individual provided consent when it was sought, including a 
record documenting any withdrawal of consent when applicable. 


. 5.3 [ ] AND, if information is being collected from persons authorized to act on behalf of minors, 
: incompetents or individuals who have been deceased for less than 20 years, implement 
appropriate mechanisms to ensure that such persons are authorized to act on behalf of 
individuals who do not have the capacity to provide consent. 


os | 


lection - ‘Without Notifi cation and Consent | 


is personal information collected from another source without notice to or consent from the 
individual to whom the information relates? 
Statutory reference: Sections 4, 5, 7 and 8 of Privacy Act and section 10 of Privocy Regulations 
E sections 6. 2. 6 and 6.2. 3 to 6. 2 13 3 3 of Directive on Privacy Practices 


x Where information is collected indirectly under any of the following circumstances without 
notice to, or consent from, the individual to whom it relates, please check the applicable 
boxes and explain as requested: 


a) The collection is a result of a disclosure to the institution under subsection 8(2) of the 


Privacy Act. State the applicable paragraph(s) of subsection 8(2) and provide a brief 
explanation for each: 
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the ori iginal collection, HRK. compli ance with sections 15(1] 160 L 
16(1.1), 16(2), 162a), 160245), 16(2.1), 16(3), 18(1), and 18(2) of the Immigration 
and Refugee Protection Act and sections 28, 28{a), 28(b}), 28(c), and 28(d) of the 
immigration and Refugee Protection Regulations. 


b Direct notification of the individual might result in the collection of inaccurate 
information, or might defeat the purpose or prejudice the use for which the 
information: is collected. Bri efly explain why notice is not provided 


S 
S 
L^ 


If previously deported persons become aware that their faces are being 
photographed specifically for FR and that this is occurring only at Terminal 3 of 
Pearson International Airport, those persons may arrange to arrive at a different POE 
to avoid the FR or they may try to defeat the technology through head position, hats, 
glasses, etc. 


adenivistrat ive purpose in wie à no » decison’: are er about Jë individ "- to 
whom the information relates. 
[X] AND, if any of the circumstances in a) b) or c) is applicable, ensure that it is reflected in the 
relevant PIB. 


Rae been cn jen documented’ in meio ee Br Tia program or acti P in "Section i te - 
Overview and PIA Initiation" of the PIA. 


jus = cof ected d recti y , from ihe individual, or rindicectt y wi (ith thee consent i the 
individual. Please review the responses to Questions 4 and 5 and ensure that the "Privacy 
Notice" or the "Consent Statement" includes all of the required elements listed under "YES" 
at Question 4. 


+ Continue to Question 7 

6.5 | | All personal information is collected directly from the individual to whom it relates, or from 
another source with notice to, or consent from, the individual or a person authorized to act 
on behalf of the individual (see Questions 4 and 5 above). 


— Continue to Ra 4 


P to othe cane Infarmution? ? 
| Statutory reference: Section 12 of Library and Archives Canada Act, sections 6, 10 and 11 of Privacy 
Act and section 4 on Res ulations 


YES 
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for any recordi considered to bea transitory record, the RDA is MIDA 90/000: transitory 
records will be retained until the end of the project and will be destroyed within 15 days of 
the expiration of that retention period. 

Recordings of FR activity that are used to obtain or provide information or to investigate an 
allegation or complaint, or used as evidence in respect of an identifiable individual shall be 
kept for the longer of two (2) years following the date of their creation, or following the date 
of their last use in an administrative action as information or as evidence in respect of that 
person. 

A RDA nas Hed requested from nié and a Archives carats for i records oe are not 


intention of thé CBSA to retai in these records | in accordance with hparaerábh ha} € of the 
Privacy Regulations, for a minimum of two years from the date of their creation. 


5. AND, implement controls and procedures to ensure that personal information used to pu a | 
decision that directly affects an individual will be retained for a minimum of two years after — 
the last administrative action or, where a request for access to the information has been 
received, until such time as the individual has had the opportunity to exercise all his/her 

| rights under the Act) 

7.3 | AND, if the institution intends to dispose of personal information that has been used for an 

| admi nistrative s purpose sided to ads pin of the two- "year r minimum retention Standard 


the information es beore n so. 


DG AND, the institution must cite the RDA number, the retention period and the disposition 

standards for the personal information in the relevant PIB. 

— Continue to Question 8 
- 7.5 Provide a Records Disposition Submission to Library and Archives Canada describing the 
records containing the personal information for which the institution requires a RDA. 

The CBSA has requested a RDA for all audio-video records that are not considered to be 

| transitory. 
| 7.6 [X] AND, obtain a RDA from Library and Archives Canada to allow the institution, under certain 
2 conditions, to dispose of records that no longer have operational utility for the program or 
activity. 


>< AND, ensure that all the other applicable requirements listed under "YES" at Question 7 are 
met. 


— Continue to Question 8 


Will measures be adopted to ensure that personal information used by the institution for an 
administrative purpose is as accurate, up-to-date and complete as possible? 


Statutory reference: Sections 5, 10 and H of Privacy Act and sections 10 and 11 of Privacy Regulations 
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cie ts 


Bt Please check any of the following measures that will be adopted to ensure accuracy of the 
personal information and provide details as requested: 


8.1.1 [x] Personal information will be collected directly from the individual to whom it relates or it 
will be validated with the individual or a person authorized to act on behalf of the 
individual. 

8.1.2 A data-matching process will be used to verify the accuracy of personal information 
against a "reliable source" (within or outside the institution) where this is authorized, or 
where consent was obtained. Please briefly describe the data-matching process and the 
sources that will be used to ensure accuracy of the information: 


< In cases where direct collection or consent is snot feasible le, the insti tuti on wil obtain 

information from trusted sources (public or private) and verify accuracy against exitii 
personal information before use. Please identify the sources and procedures to be used 
to check the accuracy of the information: 


Information for the POD will be collected from existing CBSA sources, which are deemed 
to be accurate at the time of collection. 


~ | 844 


with ü person authored to act on pu oft the e individual", rer insti tution musti im Du 

appropriate controls and procedures to ensure that: 

a) the technique(s) and the specific source(s) used to validate or update the personal 
information are documented; 

b) individuals are given the opportunity, whenever possible, to request correction of any 
inaccurate personal information before the information is used in a decision-making 
process that affects them; 

C) personal information can only be modified or corrected by those within the institution 
who have the authority to do so; and 


d) when personal information is corrected or annotated, other authorized holders of the 
information are notified about the correction or annotation and that all copies of the 
information i in the possession of the institution are corrected / annotated. 


emit. 
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| 8.4 m ias explain why such measures will not be adopted: 


formation 


| Will the personal information collected for the program or activity be used solely for the original 
purpose for which it was obtained or compiled, a use consistent with that purpose, or a purpose for 
| which the information was disclosed to the institution pursuant to subsection 8(2) of the Privacy 


Statutory reference: Sections 5 and 7 to 11 of Privacy Act 
ds RENE Sections 5. 1.1, 6 1. 9, y Be 2. 3 to 6, 2. 13 bae 6. EXE For Directive on a Practices 
olicy on Privacy | ve on Privacy 


im, | oct Assessment 


: YES 

: 9.1 implement controls and procedures to ensure that access to the personal information for 

- such purposes will be limited to authorized individuals who need to know the information to 
perform their official duties | 


i 9.2 [X] AND, ensure that the “Data Flow Diagram" or “Data Flow Tables" completed for "Section IV — 
- Flow of Personal Information" of the PIA identify the areas, groups and individuals (e.g., the 
positions) within the institution who have a need-to-know to access to or handle the 
personal information, including their geographical location and where the personal 
information will be stored or retained. 

X| AND, if the purposes for which the personal ponorom is used includes any use(s) of the 
information for a non-administrative purpose, (such as research, statistical, audit and 
evaluation purposes) the institution will adhere to the requirements and principles in its 

"Privacy Protocol For Non-Administrative dx cu in accorda nce with section 6. 2.15 of 
the Policy on Privacy Protection 
may have on privacy. 
— Continue to Question 10 
NO 
9» 4 [| Identify below any other uses of the persona! information, in other words, any routine uses 
that are not directly related to the purpose of the collection, or, which are not consistent 
with that purpose or for which the information was disclosed to the institution pursuant to 
subsectic ion 8(2) of the Privacy Act: 
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Statement", as appropriate, 


| | AND, ensure the all the other applicable requirements listed under "YES" at Question 9 are 
met. 


— Continue to bp id 10 


Will personal information be disclosed for purposes directly related to the administration of the 


| program or activity? 


Statutory reference: Sections 5 and 8 to 11 of Privacy Act. 


Policy reference: Sections 6.2.10, 6.2.11 and 6.2.13 of Policy on Privacy Protection, sections 6.2.1 to 
6.2 23 of Directive on So: ince Nu secti ions 6. 1. 9, 6. E 3 to 6.2 2.13 i and 5.2. 15 to 6. 2.20 of 


YES 


10.1 X, Please check all applicable boxes below and, for each disclosure, identify the name of the 


organization or third party to which personal information will be disclosed. If it is disclosed 
within the institution, unma ee the branch and the program or activity. 


10.12| | 


10.1.4 LIF 


10.1.6 DX] | The private sector (e.g., contractor or other external s service provider) - specify 


«  Face4 Systems, a contractor that is assisting in the deployment, management, 
maintenance, and post- "demonstration analysis of the system. 
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).2 DX) AND, ensure that: 
a) 


di sclosü res soto persona l formation with consent tof the individ di to ‘whom the 
information relates (subsection 8(1)) or without consent in certain and limited 
circumstances pursuant to subsection 8(2) of the Act; 


b) only personal information elements that are necessary for the intended purpose are 
disclosed; 
c) the organization or third party receiving the personal information is authorized to do so; 
d) administrative, physical and technical safeguards appropriate to the sensitivity of the 
information will be applied to protect the information during and after its transmission 
(see Question 15); 
e) the organization or third party to which the personal information will be disclosed for the | 
administration of the program or activity are identified in the "Consistent Use" section in 
the relevant PIB in Info Source, including the specific purpose of the disclosure; 
f} the "Privacy Notice" or “Consent Statement" describes any disclosures of information; 
and, 
g) the "Data Flow Diagram" or "Data Flow Tables" completed in "Section IV — Flow of 
: Personal information" of the PIA include details on the disclosed personal informatio 
10 3 PX] AND, any disclosure of personal information to another federal institution or outside the 
: Government of Canada is governed by a formal agreement or arrangement (e.g., a 
: Memorandum of Understanding, an accord, a contractual arrangement, etc.) to ensure that : 
m - appropriate privacy protection clauses are included, and, where applicable, include provisions - 
| for inter-jurisdictional or trans-border flows of personal information. Such clauses must cover - 
the following topics: 
a) Control over personal information, where appropriate. 
b) Limitations on the collection, retention, use and disclosure of personal information. 
c) Measures (administrative, technical and physical) to protect the integrity and 
confidentiality of personal information. 
d) Measures governing the disposition of the personal information, where relevant 
e) Measures to ensure or verify that the personal information is only used for the pu poses. 
related to the agreement, arrangement or contract. 
f) Obligations are to be extended to other parties such as subcontractors. 
— Continue to Question 11 
2 NO 
| 10.4[ ] There is no disclosure of personal information within or outside the institution for purposes 
that are directly related to the administration of the program or activity. 


— Continue to Question 11 
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Will controls and procedures be implemented to account for any new use or disclosure of the 
| personal information that is not included in the relevant PIB published in Info Source? 
- Statutory reference: Sections 7 to 11 of Privacy Act and section 4 of Privacy Requiations 


Policy reference: Sections 6.1.9 and 6.2.2 of Directive on Privacy Practices 
YES 


11.1 [X] Appropriate controls and procedures have been or will be implemented to ensure that: 


a) the head of the institution or the appropriate delegate is notified about any new use or 
disclosure of personal information that is not reflected in the PIB description published in - 
info Source; 

b) the consent of the individual to whom the information relates is obtained in writing, as 
appropriate, prior to any new use of the information for an administrative purpose that 
is not reflected in the relevant PIB published in Info Source, unless the new use is 
considered to be consistent with the purpose for which the personal information was 
obtained or compiled and the Privacy Commissioner is notified forthwith regarding the 
new consistent use; 

c) exceptas permitted under subsection 8(2) of the Privacy Act, any disclosure of personal 
information for a purpose that is not reflected in the relevant PIB published in Info 
Source will only be made with the consent of the individual to whom the information 
relates; 

d) arecord is kept for any new use or disclosure of personal information not described in 
the relevant PIB published in info Source, and that this record is stored with the personal | 
information to which it relates and retained for a minimum period of two years following - 
such a use or disclosure 

e) if the information is disclosed to a federal investigative body under paragraph 8(2)(e] of 
the Privacy Act, the record of disclosure will be kept in a separate PIB for a period of two 
years where it will be available to the Privacy Commissioner for review upon request; 

f) the Privacy Commissioner is notified forthwith, as required under subsection 9(4) of the 
Act, of any new use or disclosure that is consistent with the purpose for which the 
information was obtained or complied, but which is not reflected in the relevant PIB 
published in Info Source; 

g) the relevant PIB is amended in time for the next edition of Info Source to include any new - 
use(s) or disclosure(s) that are consistent with the purpose for which the information 
was obtained or compiled, as well as any routine use(s} or disclosure(s) that do not fall 
within the categories of purpose of collection or consistent use; and 

h) the Privacy Commissioner is notified prior to or forthwith, as required under subsection 
8(5) of the Act, about any disclosures made or to be made in the public interest or in the 
interest of the individual to whom the information relates. 

i) Other, Specify 
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NO 


11.2 Ls] Please explain why such controls and procedures will not be implemented (provide adequate 


Justi ification): 


Has a Statement of Sensitivity (SoS) or similar analysis been completed to assess the degree of 
sensitivity of the personal information to be collected and retained for the program or activity? 


Statutory reference: Sections 7 and 8 of Privacy Act. 


Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 
of Directive on Privacy Practices, Policy on Government Securit , Operational Security Standard: 


Management of Information Technology Security | 


YES 


12.1 The information contained in the SoS or similar analysis has been taken into account when 


assessing the level of risks to privacy in "Section 2 - Risk Area Identification and 
Categorization" of the PIA. 
— Continue to Question 13 


: 12.2| | Please explain why a SoS or similar analysis was not considered necessary to assess the 


Sensitivity of the information. 


- Has a Threat and Risk Assessment (TRA) or a similar security assessment been completed for the 
program or activity? 


Statutory reference: Sections 7 and 8 of Privacy Act. | 
Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 
of Directive on Privacy Practices, Policy on Government Security, Operational Securitv Standard: 


YES 


13.1| | Reference the title of the TRA or other security assessment in "Section VII — Supplementary 


biorüments List" and provi ide a brief synopsis of the assessment in the space below: 


13.2 ry AND, obtain assurances from the officials responsible for the program or activity that the 


measures recommended in the assessment have been implemented to ensure the 
COR IMEIHOMSY d and integrity of the personal information. 
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— or senior official i restes k por the: progran m or acti vity and the Head or r del d 
MOM for the did Act. 


334 [X 


if a TRA or similar security assessment is underway, simply reference that fact in the space 
below and indicate when it is likely to be completed. If there is no intent to complete one, 
pibase explain. 


A Security Assessment is underway. It cannot be completed until: the system desi ign i iS 
finalized. Initial review of the in-progress design is that this is generally a low-risk 
system, mainly because it is not connected to any other CBSA systems and because it 
will exist for only a limited time. Internet connectivity = remote management is 

noted and identified as a concern. The final design will include a VPN to protect this 
interface. 


- itify below any administrative, physical and technical safeguards in place, or to be 
implemented, for this program or activity to ensure the confidentiality, availability and integrity of 
the eee inn 


Lae 


Please check ail that peog dire safeguards identified by the TRA or similar security 
assessment. 


14.1 Admi nistrative safeguards 
[X] Internal security and privacy policies and procedures 
[X] Staff training on privacy and the protection of personal information 
[X] Screening and security checks of employees 


A] Appropriate security levels for employees who will have access to personal information 


| Contingency plans and documented procedures in place to identify and respond to 
security and privacy breaches 


| Regular monitoring of users' security practices 


| Methods to ensure that only authorized personnel who need to know have access to 
personal information 
| Other - - please describe 
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| Restricted access areas 
| Security guards 


V4 Locked filing cabinets 
| | Combination locks 
X] Safes 

Cipher locks 

DT Key cards 


| mS Secured server locations 


X] After hours alarms and monitoring systems 


identification badges are worn by staff at all times 


Video surveillance (closed-circuit television) 


| Biometrics 


re-used) 


Password protected screensavers 


E —— user authorization and authentication 


DA Passwords (minimum of 6 characters long, include alpha and numeric characters) 
| Passwords are changed by users every 90 days and recently used passwords cannot be 


[X] Session-time out security (automatically locks an account after a session has been idle 


for a specified amount of time) 


Firewalls 


[X] Intrusion Detection System (IDS) 


XJ Virtual Private Network (VPN) 


XI Encryption of sensitive information 


| Other — please describe 
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| tracking inchnologiés t to HE ré pardon informatión about users sand their KAA 


Statutory reference: Sections 4 to 10 of the Privacy Act and section 4 o id Privacy? E ulations 


Pilvac i Proci ices 


YES 


15.1| The specific tracking technologies to be used is adequately described under Part F: 


Technology and Privacy of “Section If — Risk Area Identification and Categorization” of the 
PIA; 


15.2| |] AND, the collection of any personal information using such technologies is reflected in the 


relevant PIB and in "Section Ill ~ Analysis of Personal Information Elements” of the PIA 


15.3] | AND, the use of such technologies to collect information about users and their transactions 


is adequately reflected in the "Privacy Notice"; 


i AND, those responsible for implementing and using tracking technologies to collect personal 
information or who may have access to personal information collected through these 

methods are made aware of privacy and security policy requirements; 

AND, where personal information collected through such tracking technologies is used to | 
ma ke a decision that directly affects the individual to whom the information relates, it will be | 
retained for a minimum of two years after the last administrative action as required under 
the Privacy Regulations. 


X, Tracking technologies are not used to collect personal information about users. 


3 Continue to Muestian 15 


| Will the new or modified program or activity result in new or increased surveillance or monitoring of 
a targeted population? 


YES 


niin app lica able a acis, 


: 16.2 [X] AND, ensure the surveillance or monitoring method(s) to be used, the characteristic(s) of the | 


targeted population and the scope of the surveillance or monitoring are adequately 
described under Technology and Privacy of "Section Il — Risk Area Identification and 
Categorization" of the PIA 


| 16.3 DX] AND, any personal information collected or created as a result of such surveillance or 
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monitoring is described in the relevant PIB and in Section {il — Analysis of Personal 
information Elements” of the PIA. 


A DX] AND, the collection or use of personal information through surveillance or monitoring is 

adequately reflected in the "Privacy Notice", unless such notification might result in the 
collection of inaccurate information or defeat the purpose or prejudice the use for which the 
personal information is collected. | 


i notice about surveillance Or r monitori ing will not be provided, please explain why: 


16.5 [X] AND, pe responsible ion. implementing and using such surveillance or monitoring 


| method(s ]or who may have access to personal information collected or created through 
these methods are made aware of privacy and security policy requirements. 


-> Continue to Question 17 


The new or modified program or activity will not result in surveillance or monitoring. 
-> Continue to Duero 17 


. Does the program or activity involve compliance/regulatory investigation or law enforcement, 
| surveillance or intelligence gathering that targets specific individuals against whom penalties, 
| criminal sie or sanctions ma y be Masse cpi 


ations and section 8 of 


| AND, D, identi — the » legisttive MM -— the ss — or law enforcement 
Shai sai involved: 


The activity is undertaken] in accordance with linmigration and Refugee Protection 
Act, paragraphs 15(1), 16(1), 16(1.1), 16(2), 16(2)(a), 16(2)(b), 16(2.1), 16(3), 18(1), 
and 18(2) and Immigration and Refugee Protection Regulations, paragraphs 28, 
28(a), 28(b), 28(c), and 28(d). 


fA AND, if the legislative authority differs from the legal authori ity for the program or activi ity, 
ensure it is adequately reflected in the response to Question 1 of "Section V — Privacy 
Compliance Analysis" and in "Section 1 - Overview and PIA initiation "of the PIA, 


| AND, any personal information collected or created as a result of such regulatory or criminal 
enforcement, surveillance or intelligence gathering program or activity is described in the 
relevant PIB and in "Section Ill — Analysis of Personal information Elements" of the PIA, 

151% AND, the collection or use of personal information n through these compliance i regu latory 
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"a investigation or enforcement activities is adequately reflected in the "Privacy Notice", unless : 
- such notification might result in the collection of inaccurate information or defeat the 
purpose, or prejudice the use, for which the personal information is collected. 
P< if E! iie about the compliance/regulatory investigation or law enforcement activities 
Il not be provided, please explain why: 


if previously deported persons become aware that their faces are being i 
photographed specifically for FR in support of immigration enforcement and that 
this is occurring only at Terminal 3 of Pearson International Airport, those I 
persons may arrange to arrive at a different POE to avoid the FR or they may try 

to defeat the technology through head p position, hats, glasses, etc. 


| 17.6 a The program or activity does not involve the conduct of regulatory or criminal enforcement, 
surveillance or intelligence gathering. 


ie > MP can be used to keep an account of actions completed and to track outstanding actions 


eR. 


H | Legal authority for the program has been established and is 


reflected | in the relevant PIB. 


2 a) The categories and elements of personal information to be 
collected for the new program have been carefully assessed 
based, for example, on the institution’s experience gained 
with the administration of a similar program. The personal 
data collected will be limited to only that which is required.) 


: b) These categories and elements of personal information have _ [] 
.. been described in the relevant PIB for the program. | | 


| c) Controls and procedures will be implemented to ensure that _ yx 
the institution does not collect more personal information : 
than necessary for the program and that a continuing need 
exists for that | information and its collection. 


4and 5 _a} All of the requisite "Privacy Notices” and “Consent 
/ Statements" that meet the requirements of sections 6.2.9 to 
6.2.12 of the Directive on Privacy Practices have been 
drafted.(Texts of the notices and consent statements may be 
included here. ) 


| The followi ing notices are casted | in "Términal 3 of Pearson 
Internati ional Airport: 
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| For more information on the CBSA's use of these recordings, 
| please ask to speak with a supervisor or visit www.cbsa- 


asfc.gc.ca." 
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b} Controls and procedures have been implemented to keep 

. records of individual consents, and to ensure that persons 
acting on behalf of individuals who do not have the capacity 
to provide consent have the authority to do so under section 


by Library and Archives Canada to authorize the disposal of [] 
the records containing personal information for the 

| program. 

.b) Controls and procedures have been implemented within the - 

program and the ATIP Office to ensure that information that - 
has been used for an administrative purpose will be keep for 
the minimum retention period established by the Privacy — - 
Regulations. 


d c) Reference to the RDA, the retention period and the L] 
disposition standards for the program have been cited in the 
relevant PIB. | 


8 . Controls and procedures are in the process of being 
| implemented to ensure that the personal information 
associated with the program is as accurate, complete and up-to- - 
date as necessary. 


Se Sa elu eee vEvu—————--—-—- RM —PÁ—— 
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SUMMARY OF AN S AND RECOMMENDATIONS 


Four-Part Test 


The use of biometrics to screen travellers against an active database is highly visible and may be 
controversial if privacy risks and societal implications are not considered at the outset. Although the PIA ` 
identified the pressing societal need for identifying illegitimate travellers at the border, the effectiveness 
and proportionality of using FR to match against databases has not yet been fully evaluated; such an 
evaluation is the goal of the Faces on the Move [FOTM] project. 


A number of scientific studies have tested the accuracy of biometrically enabled matching in a 
laboratory setting. However, the CBSA has not yet evaluated the performance of these algorithms in an 


4 


operational environment. The CBSA is unsure if FR technology will be effective and therefore cannot 


evaluate the proportionality of FR screening without first conducting this project. 


infringements on individual privacy. The testing area is confined to a single terminal at Pearson 

International Airport. The environmental conditions within the terminal have been optimized for 
lighting conditions and camera placement to ensure that the quality of facial images minimize the 
likelihood of false positive matches, The system 
Previously Deported Persons list, who have already been determined to be inadmissible to Canada and 


is configured to only match against individuals on the 


have demonstrated their intent to return to Canada under a false name. Multiple points of human 
intervention have been created to ensure that any actions taken as a result of a positive match have 
been reviewed independently by a trained BSO. Finally, a positive real-time match will only result in a 
referral to secondary examination where standard procedures to establish the traveller's identity will be 
followed. These safeguards have been implemented in order to minimally impact privacy while still 
enabling the CBSA to evaluate the readiness of FR matching in an operational setting. 


eliminating the use of "live" data. However, the control group may not have the desired heterogeneity 
in lighting, resolution, and diversity which is required to properly evaluate the effectiveness of FR - 
screening technology. Testing the system using an operational database will also enable the CBSA to 
identify any weaknesses in the photograph enrolment process caused by poor lighting, low resolution, 
or facial obstructions. Excluding the use of operational data may appear to be a less privacy invasive 
means of demonstrating the solution, however, the CBSA believes the use of actors and "live" data ina 
narrowly controlled environment will allow the Agency to identify and mitigate privacy risks in the 
future. 


Risk: Poor performance of FR technology may cause a disproportionate impact on traveller privacy. 
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om Mitigation: The CBSA has implemented a number of measures to improve accuracy of the system 
including controlling environmental conditions, limiting the population of the PDO, introducing multiple 
points of human intervention, and processing only high-probability matches in real time. 


program it may implement in the future. 
ACCOUNTABILITY 


Within the CBSA 


The CBSA has a robust administrative structure to ensure compliance with the Privacy Act and related 
policies and directives. In FY 2012-2013, a Privacy Oversight Committee (PoC) was established which 
consists of senior-level executives within the CBSA that meet regularly throughout the year to discuss 


helps identify a need to assess upcoming initiatives for potential PIAs. 

Bi-monthly reports on the status of PIAs are provided routinely to the PoC and the Office of the Privacy 
Commissioner to ensure adequate planning for the completion of PlAs. The FOTM project was 
presented to the PoC in March 2015. 


The ATIP Division is responsible for recommending the development of a PIA and/or other measures to 
ensure that existing or new programs / activities are privacy compliant. When contacted, the ATIP 


"m Division will provide program areas with the Privacy impact Questionnaire (PIQ). The PIQ is a template 
that requests high-level information similar to sections 1 and 2 of the Core PIA template, and is used to 
develop and record any recommendations given by the ATIP Division concerning the program or activity. 


other privacy compliant measures are required. 


The ATIP Division is also a required stakeholder in the development of Written Collaborative 
Arrangements (WCAs) such as Memorandums of Understanding or Information Sharing Agreements. 
Aside from reviewing WCAs for compliance with the Privacy Act and Treasury Board of Canada 
Secretariat policies, directives, and guidelines, the ATIP Division also makes recommendations with 
respect to the conduct of a PIA before the implementation of WCAs. 


In FY 2012-2013, the CBSA also developed two privacy policy instruments: 
+ The Privacy Breach Protocol; and 
* The Directive on Non-Administrative Uses of Personal Information (Privacy Protocol) 


The Privacy Breach Protocol ensures that all security violations which include personal information are 
reported to the ATIP Division in addition to the Security and Professional Standards Division, and 
outlines the roles and responsibilities of the Agency with respect to privacy breaches, which may include 
notification of the individuals, notification of the Office of the Privacy Commissioner, and the 
identification of mitigating measures. 
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The Directive on Non-Administrative Uses of Personal Information sets out the process, roles and 
responsibilities for the creation of a Privacy Protocol for those programs and initiatives the use personal 
information for non-administrative purposes, such as statistical reporting. 


In FY 2013-2014 the CBSA introduced an online awareness course on Information Management {IM} and 
Access to Information and Privacy (ATIP). The course was jointly developed in FY 2012-2013 and seeks 
to educate employees on their IM and ATIP responsibilities. This course will be supplemented by 
current training activities, which include an in-depth session on the administration of the ATIP program 
at the CBSA, the development of PIAs, and Info Source training. 


Specific to the Faces on the Move Project 


Personal information collected from the six month testing phase will be disclosed to Face4 Systems for 
evaluation after the testing period has concluded and the system has been removed from Pearson 
Airport. The contract between Face4 Systems and the CBSA outlines a number of safeguards for 
handling personal information, including a clear date for when all personal information under its control 
must be destroyed (project end). Face4 Systems originally i intended to evaluate the FOTM project at 
their premises in Ottawa. However, upon reflection during the PIA process, the CASA determined that 
granting Faced Systems personnel access to the CBSA's SED lab would enable the Agency to exercise 
greater accountability for personal information collected under the project. 


Risk: Face4 Systems may not abide by the terms and conditions stipulated in the contract. 


Mitigation: The CBSA will ensure that access to match data and ail personal information by Face4 
Systems staff will be limited to the CBSA's SED Lab, and will reflect control procedures in accordance with 


the Face 4 contract and the CBSA FOTM demonstration procedures that have been established for data 
collection and analyses. 


IDENTIFYING PURPOSES 


Within the CBSA 


The CBSA maintains its ic Source chapter on its website at htto://www.cbsa-asfc.ec.ca/agency 

ag fre; I /pia-eivp/atip-aiprp/infosource-eng.htmi. It conducts ongoing reviews cat the 

chapter to ensure that it efi and completely describes the personal information activities of the 
Agency. The CBSA also ensures that appropriate Privacy Notice Statements are reflected on forms and 
websites, unless such notice is not required pursuant to sub-section 5(3) of the Privacy Act. 


Specific to the Faces on the Move Project 


CBSA PIB PPU 1104 (Overt Audio Video Surveillance) reflects the types of information collected, the 
purpose; RIRE ative a ang ee consistent uses of information collected di CBSA ond 


purpose " FR s screening. ch Records éDispasition andre VRDA) A aid Rete ntion ee i Disposal S Standa rd | 
(RDS) have not yet been published; both are currently reflected in the PIB as "under development". 
However, personal information collected under the FOTM project will be subject to the retention period 
specified under the contract with Face4 systems. 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act 


ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


For Internal Use Only — Distribution Limited to Project Personne! 


Faces on the Move: Multi-camera Screening | PIA 


Risk: CBSA PIB PPU 1104 (Overt Audio Video Surveillance) has not reflected a RDA or RDS in 
approximately two years. Moreover, if the FR solution were to be implemented or tested any further, the 
"Description" Section should include the personal information category of "biometric information". Also, 
the use of FR should be listed in the "consistent uses" section of the PIB. 


Recommendation: The CBSA will update the RDA and RDS for CBSA PIB PPU 1104. The addition of 
“biometric information" and its use will be added to the "Description" and “Consistent Uses" section if 
biometric-based screening is considered for permanent deployment in the future. 


The CBSA already collects Overt Audio-Video Surveillance as part of its normal port operations. 
Although the FOTM project was developed in compliance with the CBSA's Policy on the Overt Use of 
Audio-Video Monitoring and Recording Technology, the use of FR biometrics is not specifically identified 
within the Policy. The CBSA has chosen not to update the Policy at this time because the FOTM project 
is temporary and there are no plans to install this system permanently. At a minimum, the policy 
statements reflecting "permitted uses" would have to include FR. Also, additional guidance may also be 
necessary to ensure policy compliance. 


Risk: The FOTM project is not integrated into the CBSA’s Policy on the Overt Use of Audio-Video 
Monitoring and Recording Technology. | 


Recommendation: The CBSA should align the use of FR screening into the Policy on the Overt Use of 
Audio-Video Monitoring and Recording Technology. In the interim, the CBSA will ensure the FOTM 
project is managed in accordance with the Policy. 


LIMITING USE, DISCLOSURE AND RETENTION 


Within the CBSA 


limit the use, disclosure, and retention of personal information to only that which is necessary to 
administer the program or activity. 


in FY 2012-2013, the CBSA developed guidelines on the disclosure of customs information pursuant to 
4.107 of the Customs Act. These guidelines set out the specific provisions, their limitations, relevant 
considerations and the appropriate positions within the CBSA (employee, supervisor, senior manager) 
that can authorize specific disclosures or uses. Personal information that is also customs information is 
disclosed in accordance with s.107 of the Customs Act rather than ss. 8(2) of the Privacy Act. 


A similar set of guidelines for s. 8(2) of the Privacy Act was implemented in FY 2013-2014. 
Specific to Faces on the Move Project 
The original scope of the project included disclosure to municipal police in the event that an individual 


was matched to the system but had already cleared the Primary Inspection Line before they could be 
intercepted. However, the privacy risk of disclosing inaccurate information to another law enforcement 
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T expectation of privacy at the border. Further, the CBSA considered including additional databases to 

mE match against but chose to limit the use of the FOTM project to a subset of the Previously Deported 
Persons list exclusively for the purposes described above. Finally, carefully monitored retention 
schedules have been put into place to ensure that the program is "torn-down" at its conclusion. 


dowever, some personal information collected through the FOTM project may be disclosed to internal 
CBSA stakeholders, such as IED, if a rover officer is not able to intercept an individual before the 
individual leaves the airport. This will only include the information provided to the roving officer, 
including the traveller's name, FOSS ID, warnings, and possibly a scene photograph. 


it is noted that if any PDD individuals are identified during the short-term project, they are immediately 
deported without any judicial review. As the PDD is comprised of individuals who have been deported 
and have re-entered Canada at least one time after the initial deportation, judicial review is not 
available to them. Therefore, if any individual on the PDD is identified by the project, there is no sharing 
of the project data to the Department of Justice (DOJ), Public Prosecution Service of Canada (PPSC), 
Immigration and Refugee Board (IRB), or any other organization. Sharing of information on individuals 
who are identified by the project but are not intercepted before leaving the airport, would be limited to 
CBSA systems (not the FOTM FR system) to validate the status of the individual as a Previously Deported 
Person and attempt to locate him/her. 


Risk: There is a risk that FR matches may be inappropriately used to support further investigation by the 
CBSA, which could later lead to proceedings under the Immigration and Refugee Protection Act, related 
regulations, or under the Criminal Code before the CBSA has had an opportunity to test the efficacy of 
the solution. | 


Mitigation: The CBSA will ensure that appropriate procedures are in place to support a match that is 
referred to CBSA investigators with the caveat that the accuracy of this information cannot be verified. 
Specifically, before such a disclosure occurs, significant human intervention will properly assess the data 
match and ramifications of using FOTM FR match in a deportation proceeding. Also, once the secondary 
BSO is notified of a match by the Rover BSO, existing identity validation procedures are taken before the 
individual is deported. 


Also, if an individual departs Pearson Airport prior to being intercepted, information on the individual 
may be shared with inland Enforcement. In turn, Inland Enforcement will ensure that identification steps 
are taken before any deportation proceedings are initiated. 


Risk: There is a risk that project handheld devices may be viewable by individuals in the CBSA-controlled 
area of Terminal 3. Moreover, there is a risk that BSOs will inadvertently release personal information of 
PDD individuals to these individuals who were falsely identified by the FR system. 


Mitigation: The CBSA will develop procedures to ensure that, when questioning a traveller who has been 
selected for secondary examination on the basis of FOTM, the traveller will not be told the name of the 
person on the PDD against whom the traveller has been matched. The traveller will not be shown the 
photograph of the person on the PDD. This will ensure that falsely matched travellers are not 
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inadvertently given information about persons of interest. These same procedures, and related training, 
will instill in Rover BSOs the need to shield the handheld screen when in on the floor. 


Risk: The Standard Operating Procedures designed to support the activities of the CBSA staff at Terminal 
3 have not yet been finalized and approved. These procedures will: 


support an expedited identity of travellers to determine if secondary examination is necessary; 
For false positives, require a quick release process; 

Ensure handheld device screens are shielded from view by individuals on the floor; 

Restrict disclosure of PDD data and the photograph; Le. individuals who are interviewed by the 
Rover BSO and at secondary will not be shown PDD data/photos; 


LANE + + 


"ine n abp/oed, nt et to 5 di d Ghd anpragciote rotin hoá heen E 


ACCURACY 


Throughout the PIA process, the ATIP Division works with program areas to ensure that CBSA programs 
create a process for ensuring the accuracy of information as required, and that program areas are 
capable of handling requests for correction of personal information. 


The correction Lin is ae nated central! ny from the ATIP Division. Ae s id correctic ion are 
whether thee correction was ice, Or reused: whether thec dedicat is made " lréctiy o or Mena to 
the file, and whether or not that information has been disclosed and that those recipients would be 
informed appropriately. The ATIP Division is looking at developing a more standardized approach and 


directive for the processing of correction requests. 


Specific to the Faces on the Move Project 


The CBSA recognizes that the accuracy of the matching algorithm has not yet been proven; the Agency 


has taken measures to mitigate this privacy risk. When installing the dedicated cameras, the CBSA will 
carefully calibrate the environment to ensure that light levels, camera angles, and lines of sight have 
been optimized to ensure that high-quality images are obtained. When the FOTM project becomes 
operational, the CBSA has also implemented policies and procedures to ensure that all matches 
produced by the system are first verified by a specially trained human operator before being actioned. 
Finally, the CBSA will continually refine these conditions to enhance the accuracy of the project 
throughout its duration. However, as the goal of the project is to test the accuracy of the system, there 
is a significant residual privacy risk to operational FR matching which cannot be mitigated without first 
conducting the FOTM project. 


Risk: The FOTM project may incorrectly refer travellers for secondary examination based on a false 


positive match, 
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Mitigation: The CBSA has implemented a number of measures to reduce the rate of false positives by 
controlling environmental factors, ensuring human verification, and verifying the accuracy of a match 
during the secondary examination process. 


Recommendation: The CBSA should implement a limit to the rate of false positives and consider 
deactivating the project if it exceeds this rate. 


BSA 


Typically the ATIP Division strongly recommends the completion of a TRA and SoS as part of the PIA 
process, and directs programs to contact Corporate Security for guidance with respect to those 
instruments. A summary of the risks identified in a TRA are appended to the PIA to ensure that all risks 
are identified and mitigated by the program area. 


CBSA employees are required to take the online CBSA Security Awareness course when they begin 
employment, and to refresh their training every two years. CBSA managers are required to take both 
the CBSA Security Awareness course and a CBSA Security Awareness course for managers. 

The Privacy Breach Protocol complements existing CBSA security policies, and ensures that all security 
violations which include personal information are reported to the ATIP Division in addition to the 
Security and Professional Standards Division, and outlines the roles and responsibilities of the Agency 
with respect to privacy breaches, which may include notification of the individuals, notification of the 
Office of the Privacy Commissioner, and the identification of mitigating measures. 


Specific to Faces on the Move Project 


Although a Threat and Risk Assessment (TRA) is currently underway, the CBSA has incorporated a 
number of safeguards to protect personal information under its control. Personal information used in 
this program been rated as Protected B and will be safeguarded in accordance with the Management of 
Information Technology Security (MITS) when it is installed. This includes, but is not limited to: securing 
physical assets in a location with limited access, restricting user access to the system, and encrypting all 
data transmission to prevent compromise. Further technical and administrative safeguards are 
currently being evaluated through the TRA process. 


Further, the initial draft of this PIA did not examine the use of cellular networks for transmitting 
personal information to roving BSOs. A wireless network is necessary for match alerts because the 
receiving CBSA officer is patrolling the airport and the conditions of the terminal do not permit a Wi-Fi 
network to be created for technical reasons. The scope of the PIA was expanded to include this data 
flow and relevant program areas within the CBSA, including Corporate Security and Information 
Management, were engaged to ensure that the CBSA has proper safeguards and accountability 
mechanisms for personal information it transmits through these networks. 


Risk: The personal information being transmitted on a wireless network may be compromised. 
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Recommendation: The CBSA will ensure that all wireless transmission of data is secure using 
appropriate encryption technologies. Any transmission of recordings over wireless networks must be 
done in accordance with: the C BSA's — on the Use bud Wireless Techn n Gum 4 ireless transmission did 


sic resume ae authorised "i locat iT ade an nn thé Physical Security S Section oftl the re 
and Professional Standards Directorate. À Security Assessment of FOTM, including wireless alert 
transmission, is underway and will be forwarded when it is complete. 


Risk: The system has been configured to enable remote access by system administrators. 


Recommendation: Remote access should be secure using appropriate encryption techniques. 
OPENNESS 


Within the CBSA 


ensures that the descrip ptio ons an program privacy peor ces are BORDES ne am up- des dote: 


The Directive on Privacy Impact Assessments requires departments to ensure that PIA summaries in 
bath offic cial dida n are Bose avai lanle t to inis hanes At a minimum the Summary must address 
{furou c bsa- 


Qr Upon completion of a PIA, PIA summaries are posted on the CBSA website, which also contains 
information on accessing personal information at the CBSA, 


Specific to Faces on the Move Project 


As reflected in Section 7 of this PIA (Question 17.5), notice of camera use to support the FOTM 
demonstration project will not be provided in any form. The CBSA already collects Overt Audio-Video 
Surveillance as part of its normal port operations. Signs throughout the facility indicate that travellers 
are under video surveillance and direct travellers to the CBSA's website or a supervisor for more 
information. | 


Failing to provide such notice is authorized pursuant to sub-section 5(3) of the Privacy Act. 


in lieu of signage, the CBSA has developed a communications strategy, which includes posting an 
executive summary of this PIA, for communicating the general purposes of the FOTM project. The CBSA 
intends to proactively disseminate information about the FOTM project through a news release and a 
dedicated section on its corporate website. All communications materials will indicate the purposes and 
general function of the FOTM project but will not specify where it installed, which database it will use, or 
when it will be operational. 


EAM 
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signage. Failure to provide notice in these circumstances is consistent with sub-section 5(3) of the 
Privacy Act which authorizes the CBSA to refrain from notice if, by providing such notice, may result in 
inaccurate information, may defeat the purpose of the collection, and/or may prejudice the use of the 


information collection. 


LOI, 
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Additional documents used or related to the PIA may include: 


, 
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CBSA Policy on the Overt Use of Audio-Video Monitoring and Recording Technology 


CBSA Directives on the Overt Use of Audio Video Monitoring and Recording Technology 


CBSA PIA on the Overt Use of Video Monitoring and Recording Technology 
CBSA Comptrollership Manual ~ Security Volume Chapter 6: Storage of Sensitive information and 


Assets 


CBSA Comptrollership Manual ~ Security Volume Chapter 8: Disposal of Sensitive Information and 


Assets 


CBSA Policy on the Use of Wireless Technology 

CBSA Guidelines for the Directive on the Use of Wireless Technology 

immigration and Refugee Protection Act 

CBSA Policy on the Disclosure of Customs Information: Section 107 of the Customs Act (formerly 
D1-16-1 and D1-16-2) 

CBSA Policy on the Disclosure of Personal Information: Section 8 of the Privacy Act 

CBSA Enforcement Manual Part 7 / Chapter 3 

CCTV Class of Records 

CCTV Personal Information Bank 

Video Recording and Monitoring Privacy Notice 

Video Surveillance Signage 

Audio and Video Signage 

Video Surveillance Sign Locations 

areas and cash/information counters - 

Inventory of Cameras 

PIA Action Plan 

Security Assessment Summary (work in progress) 
Security Action Plan 

Canadian Safety and Security Program Project Charter — CSSP-2014-CP-2000 
OPC Report: Automated Facial Recognition in the Public and Private Sectors 

OPC Report: At Your Fingertips — Biometrics and the Challenges to Privacy 

OPC Guidance: Guidance for the Use of Body-Worn Cameras by Law Enforcement 
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| The following signature represents a 
| commitment to comply with sections 4 to 8 
of the Privacy Act and the related privacy 


Fa - j* 
_ Martin Bolduc, Vi 
| Programs Branch 


Note: Responsibility for sections 4 to 8 of the 


| Privacy Act rests with all employees of 

| government institutions that handle personal 

| information. Officials who manage such programs 
| and activities are responsible for ensuring that 

| such requirements are implemented as part of the 
| administration of the program or activity. 


0 


The following signature represents a 
commitment by the Head of the institution or 
his/her delegate(s) who is responsible for 
establishing personal information banks in 
accordance with section 10 of the Privacy Act. 


Corporate Affairs Branch 


Signature of Head of the institution or the 
delegate responsible for Section 10 under the 


Note: Under the Privacy Act, the Head or his/her 


delegate(s) is responsible for complying with legal 


and relevant privacy policy requirements related : 
to the approval and registration of personal - 
information banks 
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| Privacy Impact Assessment Template - Overview 


Privacy is protected by national and international law, and for this reason, Treasury Board Secretariat 
(TBS) requires that any new or substantially modified program or activity involving the collection, use, 
disclosure or retention of personal information be assessed for privacy impacts. The Privacy Impact 

Assessment (PIA) is a tool used to identify risks and to describe strategies to remove or reduce these 
risks. 


THE PIA PROCESS 

The program contacts the Access to Information (ATI) and Privacy Division at the planning stage of a new 
initiative. Sections 1 and 2 of this template will be used to determine whether a PIA is required, or 
whether the CBSA Privacy Protocol for Non-Administrative Purposes (2012) must be implemented. 


When a PIA is recommended, the program appoints a drafter, normally a subject matter expert. The 
. program meets with an ATI and Privacy advisor, and a timeline for completion of each phase of the PIA 
is set. | 


The PIA can be a complex undertaking, requiring technical input from a variety of sources such as IT 
Security, Legal Services, Information Management, Contracting and Procurement, and in some cases, 
other government departments or foreign jurisdictions. At the same time, the intended audience of the 
PIA is the privacy advisor with the Office of the Privacy Commissioner (OPC) of Canada, who have little 
knowledge of CBSA programs or systems. For this reason, the PIA must be written in plain language, 
understandable to a non-CBSA reader. Jargon must be avoided, and acronyms should be spelled out. 


When completed, the ATI and Privacy Director and the Vice President lead for the program or activity 
endorses the final PIA, which is then transmitted by the ATI and Privacy Division to the Office of the © 
Privacy Commissioner for their review and to Treasury Board Secretariat for the registration of new or 
modified Personal Information Banks (PIB). An executive summary is then posted on the CBSA website. 


Please note that all text in blue, the various notes, examples, and statutory and policy references 
provided throughout the template are included as guidance to help the drafter complete the PIA 
template. These references must be deleted as the PIA is being completed. 
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Federal Institution: Canada Border Services Agency (CBSA) 


Government Official Responsible for PIA: Vice President, (Programs Branch) 
ATIP Director 


Delegate for section 10 of the Privacy Act: 


EXECUTIVE SUMMARY 


NEXUS Privacy Impact Assessment 


NEXUS is a bi-national Canada-United States (U.S.) program managed by the Canada Border Services 
Agency (CBSA) and U.S. Customs and Border Protection (CBP). The Traveller Programs Directorate of the 
Programs Branch at the CBSA is the Office of Primary Interest (OPI) for NEXUS. 


NEXUS allows for customs and immigration border clearance processes to be streamlined for pre- 
approved, low-risk travellers, thus permitting the CBSA and CBP resources to be allocated more 
effectively at the border. Membership is five years and provides expedited border clearance into 
Canada and the U.S. in the land, air and marine travel modes. In 2002, the NEXUS program was 
delivered in a travel mode specific format, beginning with the NEXUS Highway Program. Subsequently in 
2006, the NEXUS suite of programs was harmonized to provide members with expedited travel 
privileges in all three travel modes (land, air, and marine). NEXUS members use dedicated lanes in the 
highway mode; self-serve kiosks in the air mode; and, by reporting through Telephone Reporting 
Centres (TRC) in the marine mode. 


To become a member of the NEXUS program, an applicant voluntarily submits an application using 
either a paper form sent to the CBSA or by applying electronically using the Global Online Enrollment 
System (GOES) maintained by CBP. When a paper application form is used, a clerk enters the 
information into the Global Enrolment Component (GEC) of the Integrated Customs System (ICS) and it 
is assessed against a variety of enforcement databases to determine program eligibility. The personal 
information entered by the applicant is used by the CBSA and CBP to confirm their identity and to 
determine the eligibility of an applicant and the continued eligibility of a member. 


When an applicant is accepted as a NEXUS member, periodic risking is performed as well as ad hoc 
risking based on cause. Also, an assessment is performed at each passage to confirm if there have been 
any infractions that would result in the revocation of the membership or in the inadmissibility of the 
member into either Canada or the U.S. 


On March 10, 2011, a Privacy Impact Assessment (PIA) for the NEXUS program was submitted to the 
Office of the Privacy Commissioner of Canada (OPC). Observations and recommendations made by the 
OPC in August 2011 were addressed, and communication with that office continues as the NEXUS 
program evolves. Since the original NEXUS PIA, the following developments have occurred that impact 
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the NEXUS program: 


e The Canadian Air Transport Security Authority (CATSA) has implemented the Trusted Traveller 
CATSA Security Lines to provide dedicated CATSA security screening lines to NEXUS members at 
airports; it has also deployed an automated gate pilot project at the Edmonton Internationa! 
Airport; 

e New NEXUS kiosks have been installed at tier 1 Canadian airports and Billy Bishop Toronto City 
International Airport; 

e In 2014, the CBSA launched a pilot project called NEXUS Electronic Gate (eGate) to allow 24/7 
access to the NEXUS lane at the Peace Bridge land border port of entry at Fort Erie, Ontario; 

e The CBSA and CBP are seeking to expand eligibility of the program to third country nationals 

. that are members of their own domestic program, where an arrangement between the three 
parties is forged; and | 
.* Vicinity Radio Frequency Identification (RFID) allows faster Secure capture of individual traveller 
information while in the Primary Inspection Line (PIL) prior to their arrival at the primary 
inspection booth; RFID technology is used for NEXUS Highway. 


These developments are included in this updated NEXUS PIA that will be submitted to the OPC. Please 
note that the proposed CBSA-Canadian Security Intelligence Service (CSIS) pilot project that would share 
information with CSIS as part of the risk assessment process, is being dealt with in a separate multi- 
institutional PIA. | 


Protecting your Personal information 
The following personal information elements will be managed by the NEXUS program: 


full name 

contact information 

signature 

biographical information 

biometric information (for air travel only) 

citizenship status | 

criminal checks/history 

date of birth | 

credit card information (if not paying by certified cheque or money order); and 
identification numbers such as those contained on the birth certificate, driver's license or 
passport. | 


Personal information is not disclosed to other federal departments during the risk assessment process. 
Rather, the CBSA uses the information to run queries in other institution's databases, which the CBSA 
has access to: 


e  CPIC- "Canadian Police Information Centre” (Royal Canadian Mounted Police) - Contains 
wants/warrants and criminal records. 


e  NCIC- “National Crime Information Center of the United States" — Contains U.S. national 
intelligence information — wants/warrants and criminal records. 
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e IBAS- "Interdiction and Border Alert System" (Immigration, Refugees and Citizenship Canada) 
- Searchable for Criminal Removals; Lost, Stolen, Fraudulent documents (LSFDs) which includes 
passport data from Passport Canada; TUSCAN lookouts (Tipoff US Canada); IRCC issued 
documents (valid documents); Immigration Enforcement Indicators (IEls) 


The “Integrated Customs Enforcement System” (ICES) is a CBSA database that contains customs 
seizures for a period of six years plus the current year, and current data. The ICES also contains 
customs/immigration lookouts. 


The pass/fail result of the risk assessment both at initial enrolment and during periodic risk assessment 
is shared with CBP as part of the eligibility and continued eligibility determination process. Pursuant to s. 
107 of the Customs Act, information regarding admissibility may be disclosed to IRCC and within the 
CBSA to enforce the Immigration and Refugee Protection Act and the Customs Act respectively, and 
information may be shared with accredited domestic law enforcement agencies engaged in the © 
administration or enforcement of the law, and in the detection, prevention, or suppression of a crime. 
CBP conducts its own risk assessment process against its respective domestic law enforcement, | 
immigration, customs, and criminal and intelligence databases to determine the applicant’s eligibility 
and continued eligibility into the NEXUS program. CBP shares only the pass/fail result with the CBSA. For 
both the CBSA and CBP, the reason for rejection of an application or cancellation of a membership is not 
shared between the two agencies. 


The collection of information for the NEXUS program is used to determine an applicant’s eligibility for 
inclusion in the program, as well as his/her ongoing eligibility. | 


Right of Access 


A Privacy Notice statement appears on the paper application form and is also presented on the GOES 
screen when applying on-line. The Privacy Notice statement describes the purpose, use, disclosure and 
retention of personal information collected or created as part of the NEXUS program. 


Pursuant to the Privacy Act and its regulations, the Canada Evidence Act and the Customs Act, the 
retention periods for NEXUS information are as follows: | 


Electronic and paper applications may be destroyed according to the following schedule: 


e Rejected applications for NEXUS: The application forms and accompanying documents may be 
destroyed two years after the redress period has expired if there has been no request for 
redress. This information is kept in order to satisfy Privacy Act requirements to keep personal 
information for two years following the last administrative use, and to allow refused applicants 
the opportunity for redress. 

e Successful applicants for NEXUS: The applications may be destroyed six years after the date on 
which an application is approved. The retention period for the accompanying documents is two 
years following the last time the personal information was used for an administrative purpose. 

e Where the Canadian Processing Centre (CPC) is scanning and creating electronic records of 
application forms, the paper applications may be destroyed once electronic copies have been 
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made. The electronic copies should be retained according to the same paper application 
retention schedule above. 


Biometric information may be destroyed according to the following schedule: 


e Rejected applicants to NEXUS: Failed applicants do not provide any biometric data. 

e Successful applicants to NEXUS: Only approved members are required to provide a photograph 
and fingerprints (fingerprints are collected by CBP only and are not shared with the CBSA). Iris 
biometrics are an additional option for those members who wish to use self-serve kiosks in 
airports. The retention period for the photograph and the initial iris scan taken at the time of 

. enrolment is at least two years. Iris templates used to identify a member at time of passage are 
kept for a period of two years following each passage. 


You may formally request access to your personal information, or access to corporate records related to 
or created by the NEXUS program by contacting the ATI and Privacy Division. More information about 
this can be found at: http://www.cbsa-asfc.gc.ca/agency-agence/reports-ra pports/pia-efvp/atip- 
aiprp/menu-eng.html. | 


Accountability 


If you have concerns about the collection, use, disclosure or retention of your personal information, you 
may issue a complaint to the CBSA ATI and Privacy Division. Complaints should be made in writing and 
include your name, contact information, and a brief description of your concerns. Contact information 
for the ATI and Privacy Division at the CBSA can be found here. 


If you are denied or revoked from the NEXUS program by CBP, you will be provided the process for 
seeking clarification in writing. You may also challenge the decision by contacting the local trusted 
traveller Enrolment Centre or by writing to the CBP Trusted Traveller Ombudsman. Further information 
on these processes can be found at http://www.cbp.gov/travel/trusted-traveler-programs/program- 
denials. | 


If you are denied membership in the NEXUS program or are cancelled or suspended from the program 
by the CBSA, you may write to the Recourse Directorate at Headquarters or on-line to request a review 
of the decision within 90 days of the date shown on the NEXUS letter. Further information on these 
processes can be found at http://www.cbsa-asfc.gc.ca/prog/nexus/term-eng.html. 
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ABBREVIATIONS AND ACRONYMS 


The following is a list of abbreviations and acronyms used in this report: 


Access to Information Act 
Access to Information and Privacy 


Business Use Case 


Border Services Officer 


Canadian Air Transport Security Authority 
Canada Border Services Agency 

Canada Evidence Act — 

Common Look and Feel 

Class of Record 

Canadian Processing Centre 

Canadian Processing Centre System 
Canadian Police Information Centre 
Canada Revenue Agency 


Date of Birth 


Departmental Security Officer 
Enrolment Centre 


Electronic Gate 


Global Case Management System 


UE .| Global Enrolment Component 
Government of Canada 

Global Enrolment System (U.S.) 

Global Online Enrolment System (U.S.) 
Headquarters 


Interdiction and Border Alert Systems 


Integrated Customs Enforcement System 
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| Public Services and Procurement Canada 


| < | Risk Assessment Component | 
B Radio Frequency Identification | 


x P Selected Other Government Departments 


. A Canada Border Services Agency LE 


m GPO TN 
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DEFINITIONS 


This section provides definitions of the terms frequently used in this report: 


- 2] The Action Plan describes the steps that the Program will take to address risks that have 
: | been identified by ATI and Privacy Division, OPC and TBS. 


...| The Privacy Act defines an “administrative purpose" to be the use of an individual's 
` | personal information in a decision-making process that directly affects that individual. 


ty | The Government Security Policy (2002) defines E EE RE SUD that 

^ 5 | information must not be disclosed to unauthorized individuals, because of the resulting 
<---> | injury to national or other interests, with reference to specific provisions of the Access to 
| Information Act and the Privacy Act. 


| -| Is a use that has a reasonable and direct connection to the original purpose(s) for which 

^ 7| the information was obtained or compiled. This means that the original purpose and the : 
#7, | Proposed purpose are so closely related that the individual would expect that the 

| information would be used for the consistent purpose, even if the use is not spelled out. 


«Us | À comparison of personal data obtained from a variety of sources, including personal 
| | information banks, for the purpose of making decisions about the individuals to whom the 
= .| data pertains. Data matching is a specialized activity involving the collection, use and 

>> | disclosure of personal information that is subject to the various requirements of the 
| Privacy Act. 


s | Is a series of annual Treasury Board Secretariat (TBS) publications in which government 

| institutions are required to describe their institutions, program responsibilities and 

+ | information holdings, including PIBs and classes of personal information. The descriptions 

|, are to contain sufficient clarity and detail to facilitate the exercise of the right of access 

. | under the Privacy Act. Data-matching activities, use of the SIN and all activities for which 

| privacy impact assessments were conducted have to be cited in Info Source PIBs, as 

.. | applicable. The /nfo Source publications also provide contact information for government 

.. | institutions as well as summaries of court cases and statistics on access requests. 


^. | Personal Information: Information about an identifiable individual as defined in section 3 
. | ofthe Privacy Act. This definition, although lengthy, is not exhaustive, as indicated by the 
= =-=] introductory phrase, "including, without restricting the generality of the foregoing". 
("| Information that is not specifically mentioned in the list may still be included in the 
. | definition of personal information if it qualifies as "information about an identifiable 
~ 3 individual". 


Pers Is a description of personal information that is organized and retrievable by a person's 
| Bank . | 7 7" ^^t name or by an identifying number, symbol or other particular assigned only to that person. 
EI X — Dm The personal information described in the personal information bank has been used, is 
| being used, or is available for an administrative purpose and is under the control of a 
| government institution. 


.Personal Information. 


' v] The Office of the Privacy Commissioner describes "privacy" as ^.. the right to control 
= 4; | access to one's person and information about one's self. The right to privacy means that 
idm | individuals get to decide what and how much information to give up, to whom it is given, 
-| and for what uses." 
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INTRODUCTION 


Background/Overview of the Program 


The NEXUS program offers travellers a means to present themselves in an alternative manner upon 
arrival in Canada because they have been determined to be of low-risk based on pre-screening against 
criminal, immigration and customs databases. This program allows the CBSA to focus its limited 
resources on persons of high or unknown risk while facilitating the entry of persons who are authorized 
by the Minister of Public Safety. 


CBSA is responsible for controlling the movement of persons and goods into Canada. By offering the bi- 
national NEXUS program (with the U.S.), the contributing partners determine who qualifies to be a low- 
risk, pre-approved member for border crossing purposes. 


Through NEXUS, travellers enjoy expedited clearance into Canada and the U.S. by using dedicated lanes 
in the highway mode; self-serve kiosks in the air mode; and, by reporting through Telephone Reporting 
Centres (TRC) in the marine mode. This also benefits non-NEXUS travellers by reducing line-ups in the 
regular PIL. | | 


Personal information data collected by the CBSA for the NEXUS program is used to make a 
determination on the applicant for membership eligibility and continued eligibility in the program. 


Biometric information captured during enrolment (e.g. iris scan), is used to identify the member at a 
NEXUS kiosk upon return to Canada in the air mode. Individuals are not required to provide their iris 
biometric if they do not intend to travel by air. 


Fingerprints are only collected by the U.S. CBP to verify the identity of the member at a Global Entry 
kiosk when entering the U.S. and during renewal or re-enrolment. They are not shared with the CBSA. 


Personal information is collected from the application form as completed by the applicant, and with the 
consent of the applicant. The personal information is used by both Canada and the U.S. to determine 
eligibility in the NEXUS program. Only a "Pass" / "Fail" indicator is exchanged between the two 
countries; if one of the countries fails an applicant, the reason is not shared with the other country and 
membership in NEXUS is denied. 


The NEXUS program is registered in the Index of PIB on Info Source under PIB #CBSA PPU 031 (see 
Schedule B). As of September 30, 2016, there were 1,444,374 NEXUS members. 


The NEXUS PIA was originally submitted to the OPC in early 2011. The CBSA committed to providing the 


OPC with an update to the NEXUS PIA, when warranted. Since the PIA was originally submitted, a 
number of changes that affect NEXUS have occurred. Those changes are explained below: 


Canada Border Services Agency | E 


NEXUS Program | | PIA 


1. Trusted Traveller CATSA Security Lines (TTCSL): In the Spring 2010, the CBSA Supported and. 


worked closely with the CATSA on the im plementation of the TTCSL at CATSA Pre-Board Screening 
checkpoints which provides dedicated CATSA security screening lines to NEXUS members at the 
eight major airports as well as select medium-sized airports in Canada. Visual card verification by 
a CATSA screening officer is performed. 


A pilot ran from March 2013 until December 2013, at the Vancouver International Airport 
whereby the CBSA was responsible for in-house system changes to allow CATSA to ping the GEC 
database, which houses NEXUS membership data. Machine-readable zone technology (the 

swiping of the black strip on the back of the NEXUS card) was used at the beginning of the pilot 
but by the end, RFID technology had been implemented. Only RFID technology was being used 
when a second pilot was implemented in February 2015, at the Edmonton International Airport 
(the automated gate solution continues to be used at this airport). The CBSA and CATSA use RFID 
technology when a NEXUS member uses the dedicated CATSA line: the RFID embedded in the card : 
will prompt a picture of the member associated with that card on a screen for the screening 
officer to view and match the person using the CATSA line. If the screening officer deems it to be a 
match, the officer allows the member through the gate; if it is not a match, the person is sent to 
the regular security screening line. Nothing more than the person's photo is displayed to the 
security officer in order to identify the NEXUS member at the CATSA line. After the photo is 
viewed by the screening officer, the CATSA information system permanently deletes the 
photograph. CATSA is planning to roll out an automated gate solution with RFID functionality at 

_ the new Calgary International Airport terminal in April 2017. 


A Memorandum of Understanding (MoU) for the disclosure of NEXUS biometrics to CATSA to 
enable CATSA to develop and maintain an automated gate solution with the CBSA has been 
developed and is attached at Schedule UU. A Service Level Agreement (SLA) that expires on 
December 31, 2016, has also been signed between the CBSA and CATSA (the SLA is attached at 
Schedule WW). The CBSA and CATSA intend to renew both documents. 


2. Trilateral Trusted Traveller Arrangement: Expanding NEXUS benefits beyond Canada and the U.S. 
is a commitment under the Beyond the Border Action Plan that was released by Prime Minister 


Harper and President Obama on December 7, 2011. The Trilateral Trusted Traveller Arrangement 
is based on extending eligibility criteria of the NEXUS program to third country citizens/nationals 
who are members of their own domestic trusted traveller program; in turn, NEXUS members 
would apply directly to the third country program to receive reciprocal benefits from that 
country. Eligible third country applicants will complete the NEXUS application form on a voluntary 
basis, fulfill the screening criteria, and pay the applicable fee. While the logistics around the 
interview process is still under discussion, the requirement for an interview remains uncha nged 
to complete the application process. 


The revocation or suspension of membership to the domestic program will be communicated for 
the purposes of maintenance of membership. The reasons for cancellation or suspension, 


however, will not be shared. 


As per the North American Leaders Summit, the first Trilateral Trusted Traveller Arrangement will 
be with Mexico. An MoU between the CBSA, the U.S. CBP, and Mexico's Instituto Nacional de 
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Migracion (INM) has been developed regarding an Arrangement that includes, but is not limited 
to, expanding eligibility of the NEXUS program to individuals who are members of their own 
domestic program. 


The MoU was signed at the Minister/Secretary level by all three countries on July 2015, and is 
attached at Schedule NN. An Operational Program Plan was approved in June 2016, which details 
the procedures articulated in the MoU, including those pertaining to information sharing. The 
program is expected to be implemented in 2017 (Schedule OO). 


It is important to note that no personal information is shared between the CBSA and INM since 
the third party applicant applies directly through GOES who then sends the applicant's | 
information to the CBSA for a NEXUS risk assessment. Similarly, a Canadian NEXUS member would 
apply directly to the third country's domestic program. 


The CBSA has also entered into negotiations on a Trusted Traveller Arrangement with the United 
Kingdom (UK) based on extending eligibility of the NEXUS program to UK citizens that are 
approved members of their own Register to Apply program. As previously outlined in the Mexico 
Arrangement, the same processes to confirm membership status apply to the UK. Canadian 
Citizens are already eligible to apply to the UK's Registered Traveller program, so there are no 
additional reciprocal benefits for NEXUS members and therefore no information sharing for 
Canadians applying to the UK program. 


3. NEXUS eGate: In 2014, the CBSA launched the NEXUS eGate pilot at the Peace Bridge port of 
entry at Fort Erie, Ontario, following a request from the Niagara River Bi-national Mayors 
Coalition to increase NEXUS benefits, specifically with respect to expansion of hours of operation 
of the NEXUS lanes in the Niagara Region. The pilot consisted of two electronic gates (entrance 

and exit) installed in the NEXUS lane, a sensor to read the NEXUS card, video surveillance 
equipment to transmit images to the office and an intercom for the CBSA Border Services Officer 

(BSO) to communicate with members in the vehicle. While the pilot ended in May 2015, NEXUS 
eGate remains operational at the POE pending the results of the analysis and a decision by the 
Agency for a way forward with proof of concept (for details on how NEXUS eGate works, please 
see Schedule GG - Peace Bridge NEXUS eGate Standard Operating Procedures and Schedule HH — 
Peace Bridge NEXUS eGate Mock-up Drawing). The NEXUS website provides a brief description of 
NEXUS eGate at http://www.cbsa-asfc.gc.ca/prog/nexus/egate-porteelec-eng.html 


A BSO has the ability to access the GEC and view the NEXUS membership information and photo 
from within the CBSA office (using existing NEXUS technology). The capturing and storing of video 
transmissions is the only aspect that is new to the NEXUS program. Video of the vehicle, driver 
and occupants in the NEXUS lane is captured, stored and disposed of as per current CBSA Policy 
on the Overt Use of Audio-Video Monitoring and Recording Technology, dated November 2013. 
Recordings of any audio-video monitoring activity will be retained for thirty days following the 
date of their creation. 
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IT - Security, in collaboration with the Alternate Reporting unit (Office of Primary Interest for the 
NEXUS eGate pilot) have determined that no Statement of Sensitivity is required at this time since 
no additional information is being collected that is different from the current NEXUS process flow 
and transmission of information is in line with the current policy in place. The NEXUS eGate 
process flow is included at Schedule MM. 


The NEXUS eGate Business Requirements for Proof of Concept at Peace Bridge, Fort Erie, is also 
attached at Schedule JJ. 


4. NEXUS Kiosk Replacement: When the original NEXUS PIA was submitted to the OPC in 2011, the - 
NEXUS kiosks were determined to be a privacy risk since they were “at the end of their life cycle 
that could result in critical equipment failure and could jeopardize the delivery of the NEXUS 
program”. This risk has now been mitigated with the installation of 86 new NEXUS kiosks that 
have been installed at tier 1 Canadian airports and Billy Bishop Toronto City Airport under the 
Kiosk Replacement Project. Please see section 6 — Summary of Analysis and Recommendations for 
further information on this “risk” (for the kiosk Business Use Case, the Technology Architecture 
Design, and TRA and SOS, see Schedules PP, QQ, and RR respectively. 


5. Vicinity Radio Frequency identification (RFID): Under the Beyond the Border Action Plan, Canada 


committed to implementing Radio Frequency Identification (RFID) technology in a minimum of 
two lanes at 11 land POEs (for a total of 22 lanes) to facilitate and expedite the secure passage of 
people and goods across the shared Canada-U.S. border. 


The RFID initiative: 

o Allows faster secure capture of individual traveller information while in PIL, prior to their 
arrival at the primary inspection booth; | 

o Allows effective risk assessment through automated queries, reducing the administrative 
burden on BSOs and allowing them more dedicated attention to traveller interviews where 
warranted; and, 

o Increases public awareness of RFID-enabled documents and availability of RFID technology at 
Canada's border to facilitate and expedite border-crossing 


In preparation for RFID reader installation, an information technology update was made to the 
Integrated Primary Inspection Line (IPIL) Highway traveller processing application in October 2014 
to lay the foundation, allowing NEXUS cards to be read by existing RFID-readers in flex lanes, once 
installed. An information technology update was made to the IPIL Highway traveller processing 
application on February 11, 2016 to be able to display information obtained through the new RFID 
readers. 
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Part 1: Is the new or changing program/activity necessary to meet a specific need? 


Trilateral Trusted Traveller Arrangement 


The trilateral trusted traveller arrangement with the U.S. and Mexico is necessary to align with the 
commitments made in the Beyond the Border Action Plan and the 2014 North American Leaders 
Summit. The country selection and mandatory criteria were set out in the approved Memorandum to 
Cabinet in November 2013. 


NEXUS eGate: 

It was determined that the use of NEXUS eGate would provide NEXUS members extended access to the 
NEXUS lane after hours of operation at the Port of Entry (POE), without increasing risk, and providing 
flexibility in terms of resource management by giving BSOs the ability to perform other duties inside the 
office, while awaiting NEXUS traffic. A NEXUS eGate lane is operated remotely from inside the CBSA 
office at the Peace Bridge POE. 


Trusted Traveller CATSA Security Line (TTCSL): 


TTCSL provides dedicated CATSA security screening lines to NEXUS members at busy airports. The TTCSL 
allows NEXUS members to present themselves at a CATSA Screening checkpoint to access the 
designated TTCSL. The need is for a procedure that continues to maintain the necessary security 
standards while offering NEXUS members an added benefit. 


NEXUS Kiosk Replacement 
When the original NEXUS PIA was submitted to the OPC in 2011, the NEXUS kiosks were determined to 


be a privacy risk since they were "at the end of their life Cycle that could result in critical equipment 
failure and could jeopardize the delivery of the NEXUS program". This risk has now been mitigated with 
the installation of 86 new NEXUS kiosks that have been installed at tier 1 Canadian airports and Billy 
Bishop Toronto City Airport under the Kiosk Replacement Project. 


Radio Frequency Identification (RFID): 


The vicinity RFID improves the functionality of the NEXUS card in the land mode at NEXUS crossings by 
allowing an RFID chip to be read within three to four metres of an RFID antenna. This permits time 
savings as an added benefit for the NEXUS member. 


Part 2: Will the new/modified collection be effective in meeting the need? 


Trilateral Trusted Traveller Arrangement 


The new collection of information is only related to membership validation for third country nationals. 
For example, for NEXUS membership, the U.S. system will confirm that a Mexican national is a member 
of their own domestic program in order to satisfy the eligibility criteria as set out in Canada's regulation 
and policy criteria. The collection of personal information from Mexican nationals will be collected by 
U.S. CBP through GOES; once GOES confirms that the applicant is a member of Viajero Confiable, the 
applicant will only then be able to proceed with the NEXUS application. As per standard protocol, the 
U.S. CBP will forward the applicant's personal information to the CBSA for Canada to commence their 
NEXUS risk assessment. If a Mexican national is no longer a member of their own program, U.S. CBP will 
be notified and they will cancel their NEXUS membership. Apart from the sharing of personal 
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information between the U.S. CBP and Mexico's INM, in order to confirm membership in one's own 
program, all other information sharing is conducted as per the regular NEXUS protocol. 


Conversely, for the Viajero Confiable membership, Mexico's system will confirm with the U.S. system 
that Canadian and U.S. applicants a are NEXUS members. 


The same procedure would apply for UK citizens applying to NEXUS who are already members of their 
domestic program, Register to Apply. 


NEXUS eGate: 

The collection of personal information remains the same as with the NEXUS program; the NEXUS eGate 
technology allows for a BSO to process travellers remotely from inside the POE, thereby allowing the 
NEXUS lane to be open for extended hours at a land border crossing. The implementation of NEXUS 
eGate provides flexibility to have the NEXUS lane staffed during peak hours, and then run remotely from 
the CBSA office at the POE during off peak hours. When being run from the office, the interaction with 
the NEXUS traveller occurs via an audio/visual system and the BSO raises the gate remotely once a 
release or refer decision is made. This allows the BSO to perform other tasks since he/she does not have 
to physically be at the NEXUS lane. 


Trusted Traveller CATSA Security Line (TTCSL): 


The modified method of security screening will continue to allow the CBSA to confirm NEXUS 
membership and allow for an improved passenger experience and passenger flow through the 
automated gate solution. 


NEXUS Kiosk Replacement: 


The collection of personal information remains the same but less kiosk outages are anticipated since 
new NEXUS kiosks have been instituted at various major airports across Canada. This will enhance the 
trusted traveller experience. 


RFID: | 
This functionality will maximize the use of RFID technology, thus enhancing effectiveness of the 
technology. | 


Part 3: Is the loss of privacy proportional to the need? 


NEXUS eGate/ Trusted Traveller CATSA Security Line (TTCSL)/NEXUS Kiosk Replacement/RFID: 


There is no loss of privacy with the addition of these changes that affect NEXUS. 


Trilateral Trusted Traveller Arrangement 


There is no loss of privacy in the Arrangement as a NEXUS member who wishes to volunta rily apply to 
Viajero Confiable, would do so directly with that program. Similarly, a Mexican or UK applicant could 
voluntarily apply to NEXUS and go through the same risk assessment as a Canadian or American 
applicant. 
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Part 4: Is there a less privacy-invasive way of achieving the same end? 


NEXUS is a voluntary program that expedites the border clearance process for low-risk, pre-approved 
travellers into Canada and the U.S. All of the new projects listed in this PIA that affect NEXUS have been 
initiated to either improve efficiencies or the integrity of the program. The least privacy-invasive way of 
achieving these efficiencies and procedures was contemplated for each change. Further, the revised 
Canadian Privacy and Consent Statements explain why and how an applicant’s personal information is 
collected, used and shared. The applicant must consent to these Statements before submitting their 
NEXUS application. 


Personal information submitted voluntarily by an applicant is required for the CBSA to perform initial 
and continued risk assessments to ensure an applicant is low-risk pursuant to the meaning and spirit of 
the NEXUS program for the duration of their membership. None of the new projects detailed in this 
revised PIA ask the applicant to provide any additional personal information than was required under 
the original PIA submitted in 2011. 


Roles and Responsibilities 


1. Clients 


Canadians, Americans and Mexicans who wish to become members of the Trilateral Trusted 
Traveller Arrangement will first be required to become a member of their own domestic trusted 
traveller program (for Canada and the U.S., NEXUS would be used). Only those Canadian and U.S. 
citizens as well as permanent residents who have applied for an authorization to present 
themselves for customs and immigration inspection in an alternative manner, are eligible to apply 
for NEXUS membership. Canadian applicants apply either by paper application in Canada or 
electronically through the GOES U.S. portal. 


Mexican applicants will also be required to go through the risk assessment process to become a 
NEXUS member. Again, each country will risk assess an applicant individually and only share their 
“Pass” / “Fail” indicator. 


A detailed description of the data flow for Canadian applicants is provided in Section 4 of this PIA. 


2. U.S. CBP 


The CBSA partners with U.S. CBP to deliver NEXUS and have a shared role in setting program 
policy and managing the delivery of the program in their respective countries. As reflected in 
Section 4 of this PIA, a Canadian applicant to the NEXUS program is presented with a Privacy 
Notice Statement and explanatory text providing appropriate openness and clarity regarding the 
involvement of the U.S. CBP. Both countries perform security assessments on NEXUS applicants 
and share a “Pass” / “Fail” indicator. Only when both countries have provided a “Pass” is the 
application approved for membership in NEXUS. 


An MOU has been signed between the CBSA and the U.S. CBP (see Schedule A), which, in part, 
provides restrictions on the use and secondary disclosures of NEXUS applicant data. 
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Under the Trilateral Trusted Traveller Arrangement, a Mexican national who wishes to become a 
NEXUS member will apply through GOES. The U.S. CBP will need to validate the applicant's 
identity and determine membership in the applicant's own domestic program (in this case Viajero 
Confiable). 


Once the U.S. confirms with INM that the applicant is a member of their own domestic program, 
the Mexican national would then be able to proceed with the NEXUS application. The application 
and risk assessment process is then the same as for a Canadian or American applicant. 


The CBSA and U.S. CBP independently determine an applicant's status and only share the "Pass" / 
"Fail" indicator. 


3. Mexico's Instituto Nacional de Migracion 
A Canadian citizen who is a NEXUS member and who wishes to apply to Mexico's Viajero 


Confiable will apply directly to that program. Mexico's INM will submit the personal information 
mentioned in section 2 above to the U.S. system for validation that the applicant is a NEXUS 
member; once done, they will risk assess the applicant according to their own domestic 
procedures. 


It is important to note that no personal information will be shared between the CBSA and INM 
since a Canadian applicant to Viajero Confiable would apply directly to that program. 


4. United Kingdom 
The CBSA has also entered into negotiations on a Trusted Traveller Arrangement with the UK 


based on extending eligibility of the NEXUS program to UK citizens who are approved members of 
their own Register to Apply program. Canadian citizens are already eligible to apply to the UK's 
Registered Traveller program, so there are no additional reciprocal benefits for NEXUS members 
and therefore no information sharing for Canadians applying to the UK program. 


5. Canada Revenue Agency 
The Canada Revenue Agency (CRA) is responsible for user endpoint (e.g. desktop, laptop, 
handheld) provisioning and support services. 


6. IBM Canada and Perceptics LLP 
To support the devices, kiosks, and technology of the NEXUS program, the CBSA utilizes private 
sector contractors; however, contractors are never requested to collect, use, disclose, or retain 
information on behalf of the CBSA NEXUS program. Furthermore, under no circumstances do 
these contractors have access to personal information about NEXUS members. 


IBM Canada is responsible for maintaining iris technology, kiosks and cameras for NEXUS air 
mode, and Perceptics LLP (Perceptics) is responsible for maintaining the highway mode lane 
technology and equipment (e.g. RFID). Note that for NEXUS eGate, although an RFID reader is 
used, it is not the same RFID reader purchased under the NEXUS Perceptics contract. It is an 
independently purchased reader that is specifically calibrated to only read NEXUS cards. Its sole 
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purpose is to open the pre-PIL gate and allow entry into the NEXUS lane. At this point, no personal 
information is read, stored or transmitted in any Way. 


In the case of IBM Canada, all support work is done on-site as required and requested by CBSA 
Officials. Contractors performing work on behalf of IBM Canada provide kiosk and iris camera 
technical services or functional improvements. There is no information stored on the kiosks, 
therefore, IBM contractors do not have access to the CBSA's NEXUS iris database. 


Perceptics provides the CBSA with Return to Depot, Next Day Replacement, and Maintenance and 
Support services for the NEXUS Highway integration solution; Perceptics is not a service provider 
for the NEXUS kiosks or NEXUS marine. The integrated solution is comprised of vicinity card 
readers, license plate readers, license plate set-up, site preparation, site installation and 
implementation, integration software, and related Support and maintenance. Perceptics 
contractors do not have access to personal information, including the NEXUS iris database. The 
hardware devices, which Perceptics maintains, do not contain any personal information. 


Although neither contractor has access to personal information, the contract has been awarded in 
accordance with an approved Security Requirements Checklist (SRCL) and related security and 
privacy clauses. IBM and Perceptics contractor personnel who require access to protected 
information, assets or sensitive work site(s) must hold a valid Reliability screening granted by the 
CRA through Public Service and Procurement Canada (PSPC). Furthermore, IBM and Perceptics 
must not remove any protected information or assets from the identified work sites and the 
Contractor must ensure that its personnel are made aware of and comply with the restriction. 
IBM and Perceptics must also comply with the provisions of the SRCL and the Security 
Requirements for Protection of Sensitive Information issued by PSPCC's Canadian Industrial 

. Security Directorate (CISD). | 


Additionally, the contracts with IBM and Perceptics (and any other future contractors) include the 
following statement regarding personal information: | 


Handling of Personal Information 

The Contractor acknowledges that Canada is bound by the Privacy Act, R.S.C. 1985, c P- 
21 with respect to the protection of personal information as defined in that Act. The 
Contractor shall keep private and confidential any such personal information collected, 
created, or handled by the Contractor under the Contract, and shall not use, copy, 
disclose, dispose of or destroy such personal information except in accordance with 
this clause and the delivery provisions of the Contract. All such personal information is 
the property of Canada, and the Contractor shall have no right in or to that 
information. The Contractor shall deliver to Canada all such personal information in 
whatever form, including all working papers, notes, memoranda, reports, data in 
machine-readable format or otherwise, and documentation which have been made or 
obtained in relation to this Contract, upon the completion or termination of the 
Contract, or at such earlier time as the Minster may request. Upon delivery of the 
personal information to Canada, the Contractor shall have no right to retrain that 
information in any form and shall ensure that no record of the personal information 
remains in the Contractor’s possession. 
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7. SharedServices Canada (SSC) | 
SSC is responsible for application and database hosting infrastructure and network services. 


Scope of the PIA 


The NEXUS PIA was originally submitted to the OPC in early 2011. This updated version includes 
descriptions of the changes that have occurred since that time that affect NEXUS i.e. Trusted Traveller 
CATSA Security Lines; Trilateral Trusted Traveller Arrangement; NEXUS eGate; NEXUS kiosk replacement; 
and, Vicinity RFID. 


This assessment also includes all activities related to the collection, storage and use of personal 
information by the CBSA where it concerns NEXUS. it also describes what type of personal information is 
shared with the U.S. CBP to jointly administer the program. 


The assessment does not address concerns relating to the collection, storage or use of personal 
information where the information is provided by the individual directly to the U.S. CBP. 
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SECTION 1 - OVERVIEW AND INITIATION 


Report Objectives 
This report is a PIA for the NEXUS program of the CBSA. The objectives of this PIA are: 


to review the business processes in order to identify the data flow of personal information; 
to analyze the collection, use, disclosure and retention of personal information; 

to determine if there are privacy risks associated with the NEXUS program; and 

to provide recommendations on the mitigation or elimination of the risks. 


The information presented in this report follows the Treasury Boa rd of Canada Secretariat Privacy 
Impact Assessment policy and guidelines. 


The purpose of a PIA process is to ensure that privacy is considered throughout the project development 
cycle. The results of a PIA are a documented guarantee that privacy issues have been identified and 


adequately addressed. | 


Government Institution: Canada Border Services Agency, Programs Branch 


Government Official Responsible for the Head of the government institution / Delegate 
Privacy Impact Assessment for section 10 of the Privacy Act 
CBSA Vice President lead for program or CBSA ATI and Privacy Director 


activity 


Name of Program or Activity of the Government Institution: 
Program Activity 1.2 - Secure and Trusted Partnerships V Program Sub-Activity 1.2.1 — Trusted Traveller 


Description of Program or Activity: 


Secure and Trusted Partnerships 


Through the Secure and Trusted Partnerships program, the CBSA works closely with clients, other government 
departments and international border management partners to enhance trade chain and traveller security while 
providing pre-approved, low-risk travellers and traders with streamlined and efficient border processes. The 
CBSA develops and administers programs and cooperative agreements with its partners to ensure alignment 
with international standards (e.g. World Customs Organization SAFE Framework of Standards) and promote best 
practices in global border management. By increasing membership in trusted traveller and trader programs, the 
CBSA is able to improve its capacity to mitigate risk in advance and focus examination efforts on identifying | 
travellers and traders of unknown or higher risk. 


Trusted Traveller 
The Trusted Traveller Programs are designed to simplify the border clearance process for pre-approved, low-risk 
travellers entering Canada. The CBSA offers two programs for travellers, NEXUS and CANPASS. These programs 
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streamline (expedite and simplify) border clearance. NEXUS is a joint initiative with the U.S. CBP in the air, land 
and marine modes of transportation, while CANPASS is a Canadian suite of programs for clients entering Canada 
by plane, corporate and private aircrafts and private boats. Both programs are available to citizens or 
permanent residents of Canada and/or the U.S. and enable members to cross the border faster when travelling 
to Canada and, in the case of NEXUS, when travelling to the U.S. 


Applicants to the programs must pass various assessments (e.g. security checks, interviews and risk 
assessments) specific to the program before being granted membership. NEXUS members can use iris 
recognition technology for passage processing at designated airports, and Radio Frequency Identification 
technology for processing at designated highway ports of entry. Members of NEXUS or the CANPASS Private 
Boat, CANPASS Corporate Aircraft or CANPASS Private Aircraft programs entering Canada by private aircraft, 
corporate aircraft or private boat must report their arrival in advance and make their declarations to the CBSA 
Telephone Reporting Centre. 


Description of the class of records associated with the program or activity 


Class of Record Number: 


C] Proposal for a New Personal Information Bank 
Dx] Proposal to modify an existing Personal Information Bank - identify PIB registration number and current 
description: | 


NEXUS Program Personal Information Bank 


Description: This bank describes information that is about individuals who have applied to the NEXUS 
program. NEXUS is an expedited border clearance program jointly administered by the Canada Border 
Services Agency (CBSA), and the United States Customs Border Protection (CBP) with dedicated lanes at 
the land border, kiosks at airports and telephone reporting in marine mode for pre-approved low risk 
travellers. The CBSA may also enter into reciprocal arrangements with countries other than the United 
States that also have similar programs to extend NEXUS privileges to citizens of those countries. The 
personal information may include full name, contact information, biographical information, biometric 
information, citizenship status, credit information (credit card number), criminal checks/history, date of 
birth, other identification numbers, physical attributes (gender), place of birth, signatures, immigration 
enforcement checks / history, national security assessment, pass/fail results of program eligibility checks 
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conducted by the CBP, and copies of travel and identification documents submitted as part of the 
application process. 


Note: Information may be stored in the following internal systems / databases: Global Enrolment 
Component (GEC) of the Integrated Customs System (ICS); the Risk Assessment Component (RAC) pings 
the Integrated Customs Enforcement System (ICES), Interdiction Border Alert System (IBAS), Canadian 
Police Information Centre (CPIC), and the National Crime Information Center (NCIC) at enrolment. At 
each passage, ICES, IBAS and CPIC are checked. A NEXUS membership will enable air travellers to save 
time by using the Trusted Traveller Canadian Air Transport Security Authority (CATSA) Security Line at 
major and select medium-sized Canadian airports to expedite airport pre-boarding security screening. 


Class of Individuals: NEXUS Program applicants. 


Purpose: To determine if an applicant can be approved to participate in an expedited border clearance 
program. Personal information is collected pursuant to s. 11(6) of the Customs Act- and s. 6.1 of the 
Customs Act Regulations 2003-323. 


Consistent Uses: As part of the risk assessment, the Applicant's first name, middle name, last name, 
date of birth and gender may be used to query enforcement information from the CBSA's Integrated 
Customs Enforcement System (CBSA PPU 016), criminal record information from the Royal Canadian 
Mounted Police's Canadian Police Information Centre database (Operational Records RCMP PPU 005), 
and immigration enforcement information from Immigration, Refugee and Citizenship Canada's 
Interdiction Border Alert System (Immigration Case File CIC PPU 042) 


The applicant's first name, middle name, last name, date of birth and gender may be disclosed to the 
U.S. Federal Bureau of Investigation to query criminal records against the National Crime Information 
Center database. | 


The member's facial photograph may be shared temporarily with CATSA to validate identity when the 
member uses the Trusted Traveller CATSA Security Line (Boarding Pass Security Screening PIB CATSA 
PPU 100). 


All of the information provided directly by the applicant may be shared with the CBP in the 
administration of program membership, and to the U.S. Government Print Office for issuance of the 
NEXUS card. Only the pass/fail result from the CBSA risk assessment will be shared with the CBP to 
confirm an applicant's program eligibility. 


Personal information may be shared within the CBSA for the following: to administer appeals concerning 
revocation of NEXUS membership (Enforcement and Trade Appeals CBSA PPU 005); to ports of entry to 
confirm valid membership for admissibility purposes in designated Trusted Traveller lanes (Traveller 
Processing CBSA PPU 1101); to the CBSA Enforcement and Intelligence Operations Directorate as part of 
the CBSA risk assessment process to check for immigration and customs infractions (CBSA PPU 018); 
and, to the Overt Audio-Video Surveillance area as part of the NEXUS eGate pilot at Fort Erie, Ontario 
(CBSA PPU 1104). 
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Confirmation of membership may be shared with those countries other than the United States with 
which the CBSA has entered into a trilateral trusted traveller arrangement that extends NEXUS privileges 
in accordance with those arrangements. 

Retention and Disposal Standards: Applications of non-successful applicants are retained for two years 
following the redress period. Applications of successful applicants are retained for six years after the 
application is approved. Original iris scans of successful applicants are retained for at least two years, 
while iris scans captured at passage are kept for a period of two years. The records are then destroyed. 
RDA Number: 2015/008 

Related Record Number: CBSA ADM 117 

TBS Registration: 002788 


Bank Number: CBSA PPU 031 
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Legal Authority for Program or Activity: 


Summary of the project, initiative, or change: 
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Program or activity that does NOT involve a decision about an identifiable individual 


Personal information is used strictly for statistical / research or evaluations including mailing list 
where no decisions are made that directly have an impact on an identifiable individual. 


The Directive on PIA applies to administrative use of personal information. The Policy on Privacy 
Protection requires that government institutions establish an institutional Privacy Protocol for 
addressing non-administrative uses of personal information. The CBSA Privacy Protocol must be 
implemented. Contact the ATI and Privacy Division before continuing the PIA. 


Administration of Programs / Activity and Services x] 2 


Personal information is used to make decisions that directly affect the individual (i.e. determining 
eligibility for programs including authentication for accessing progra ms/services, administering 
program payments, overpayments, or support to clients, issuing or denial of permits/licenses, 
processing appeals, etc...). 


Compliance / Regulatory investigations and enforcement Dx] 3 


Personal information is used for purposes of detecting fraud or investigating possible abuses within 
programs where the consequences are administrative in nature (i.e. a fine, discontinuation of 
benefits, audit of personal income tax file or deportation in cases where national secu rity and/or 
criminal enforcement is not an issue). 


Criminal investigation and enforcement / National Security IX] 4 


Personal information is used for investigations and enforcement in a criminal context (i.e. decisions 
may lead to criminal charges/sanctions or deportation for reasons of national security or criminal 
enforcement). 


B. Type of Personal Information Involved and Context. D 
Only personal information, with no contextual sensitivities, collected directly from the 
individual or provided with the consent of the individual for disclosure under an 
authorized program. For example: General licensing, or renewal of travel documents or 
identity documents. 


Personal information, with no contextual sensitivities after the time of collection, [x] 2 
provided by the individual with consent to also use personal information held by 

another source. For example: An application process with a requirement for 

independent verification of certain non-sensitive factual details. 


Social Insurance Number, medical, financial or other sensitive personal information Dx] 3 
and/or the context surrounding the personal information is sensitive. Personal 

information of minors or incompetent individuals or involving a representative acting on 

behalf of the individual. For example: An individual's name on a particular list may 

reveal sensitive information on the health, financial situation, religious or lifestyle 
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choices of that individual. 


Sensitive personal information, including detailed profiles, allegations or suspicions, 
bodily samples and/or the context surrounding the personal information is pa rticularly 
sensitive. For example: Personal information that reveals intimate details on the 
health, financial situation, religious or lifestyle choices of the individual and which, by 
association, reveals similar details about other individuals such as relatives. 


| Within the CBSA (amongst one or more programs within the CBSA) 


(5—— 


| With other federal institutions 


| With other or a combination of federal/ provincial and/or municipal government(s) 


Private sector organizations or international organizations or foreign governments 


One time program or activity 


Typically involves offering a one-time support measure in the form of a grant payment as a social l 
support mechanism. i M | | 


Short-term program 
A program or activity that supports a short-term g 
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; Long-term program | X] 3 
| Existing program that has been modified or is established with no clear “sunset”. | | | 


Canada Border Services Agency 


NEXUS Program | PIA 


The program affects all employees for internal administrative purposes. E. [ ]2 
: The program affects certain individuals for external administrative purposes. | Dx] 3 i 
The program affects all individuals for external administrative purposes. [ ]4 | 


aei dil B ie 


1.1 Does ther new or modifi ed program or activity involve t the implementation of a new | 
electronic system, software or application program including collaborative software (or  YES | 


| groupware) that is implemented to support the program or activity in terms of the | | 
: creation, collection or handling of personal information? NO 
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| 5.2. Does the new or modified program or 
| systems and / or services? 
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: 6.3 Does the new or modified program or activity involve the im plementation of one ormore | | 
_of the following technologies: | P | 


E 


6.3.1 Enhanced identification methods: - 
This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint 
analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass | 
technology, new identification cards including magnetic stripe cards, “smart cards” {i.e | | 

| identification cards that are embedded with either an antenna or a contact pad that i | | dx : 
| connected to a microprocessor and a memory chip or only a memory chip with non- | 
programmable logic). | | | 


M reve se a D" 


H 


| 
i 
| 


i | 
i i 
| 
; ; 
: : 
H i 

H 


à 
i : : 
: H : 
; i i 
i i i 
: i 
: | | | 
i 
H ] ; 
i i i 
i 1 
ri i 
H H 
E i 


: 

H 

i 

: : 

i 1 ; 
: : 


i 


j 


: H H 
i 


i 
i 
j : 
i i 
E H i 
i i ! 
i 
i : 
H i 
i i 
i i : 
H i P 
H i 
H ; 
H i i 
i ; ; 
; $ 
| j 
: ; i 
i | | 
| F 
' à 
H : 
H : 
i 
í 


| | : 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act. 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


NEXUS Program PIA 


| 6.3.2 Use of Surveillance: | PR 
| This includes surveillance technologies such as audio/video recording devices, thermal ^. YES 
| imaging, recognition devices, RFID, surreptitious surveillance / interception, computeraided j 
| monitoring including audit trails, satellite surveillance etc. | NO 

| | | 
| | | 
/ | | 
| | | 


| : 
| | | 
| | | 
| | 
; ' | 
|. 6.3.3 Use of automated personal information analysis, personal information matching and | | 
| knowledge discovery techniques: | YES | 
For the purposes of the Directive on PIA, CBSA is to identify those activities that involve the | | 
| use of automated technology to analyze, create, compare, culi, identify or extract personal ^ NO | 
: information elements. Such activities would include personal information matching, record | | 
i linkage, personal information mining, personal information comparison, knowledge discovery, | | 


information filtering or analysis. Such activities involve some form of artificial intelligence 
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and/or i machine learning to uncover knowledge (intelligence), tr trends/patterns or to predict - | 
| behaviour. | | 


| The personal information is used within a closed system. 


No connections to Internet, Intranet or any other system. Circulation of hardcopy documents is 


controlled. | | 
epe — — — 7 
|. 2 E 
| The personal information is transferred to a portable device c or is s printed. |. Pa | 
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The personal information i is transmitted using wireless technologies. 
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. Managerial harm. 


Processes must be reviewed, tools must be changed, change i in n provider / partner. 
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, Organizational harm. 
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| Changes to the organizational structure, changes to the organizations decision-making structure, 
| changes to the distribution of responsibilities and accountabilities, changes to the program activity 
architecture, departure of employees, reallocation of HR resources. | 


_ Financial harm. | [ ]3 


Lawsuit, additional moneys required reallocation of financial 


Reputation harm, embarrassment, loss of credibility. | Ix] 4 


| Decreased confidence by the public, elected officials under the spotlight, institution strategic 
| outcome compromised, government priority compromised, impact on the (GoC) outcome areas. 


resources. : 
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| Inconvenience. 


. Reputation harm, embarrassment. 
: Financial harm. 


| Physical harm. 
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SECTION 3 - ANALYSIS OF PERSONAL INFORMATION ELEMENTS 


Personal Information Elements and Sub-elements 
Note: Identification of sub-elements is necessary where sensitive personal information is being collected or where the type of program or activity presents a potential 
privacy risk at levels 2, 3, or 4 in "Section 2 - Risk Identification and Categorization" above. 
| - .. CategoryOf | Personalinfo |, Personal Information . Purpose / Necessity 
. Personalinformation = | . Elem . Sub-Element . . a ! | of Element — 
First name / middle initial / last| Paper and To identify clients 
name Electronic 


rmation 
nt 


| Format - 


Nickname 


Other Names (former names, 
maiden names) 


Physical Attributes Gender Male/Female Paperand To identify clients 
| E Electronic M 
Date of Birth (DOB) DOB | Month/Day/Year Paper and To identify clients 
Birth Certificate Information Electronic 
Birth Certificate | Birth Certificate No. Birth Certificate No and Paper and To provide proof of citizenship and 
and Document Document Electronic birth. | 

Place of Birth Place of Birth City/State or Province/Country | Paper and To identify the individual and eligibility 

| Electronic in the program. 


Citizenship Status or Citizenship Status Citizenship in Canada or the Paper and To provide proof of identity and 
Nationality | United States; Electronic citizenship/status. 


Citizenship and/or Nationality 
of Third Country that has an 
arrangement with CBSA- 
CBP NEXUS Program 
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| CategoryOF | Personal Information | Personal information | | ormat |  Pupose/Necesity — 
. . Personal Information — . Element .. Sub-Element MELDE NEG ofElement 
Citizenship Status or Citizenship Document Citizenship Document Paper and To provide proof of identity and 
Nationality Naturalization Naturalization Electronic citizenship/status. 

Certificate No and Certificate No and 

Document Document 

Visa/Permit Visa/Permit 

Permanent Resident Permanent Resident Document 


Document 


Passport Number or Travel Passport or Travel Passport Number Paper and To provide proof of identity, citizenship, 


Document Document Number Travel Document Number Electronic and to determine eligibility in the 

(and photocopy of program. 
| | document) Photocopy of document 

Other Identification Numbers Driver's License and Driver's License and Number Paper and To provide proof of identity and to 
Number Electronic determine eligibility in the program. 

Other identification Numbers | _ | CBSA (GEC system GEC Identification number Paper and To identify individual’s by file number. 
driven number) GES identification number Electronic 
CBP (GES system 


driven number) 


To contact clients and to assist in 
performing checks in determining 

eligibility in the program; to deliver 
NEXUS card 


Street name / street number / | Paper and 
city / province or state / postal | Electronic 
code/country/telephone 
number/business telephone 
number/email address 


From Date/To Date 


Contact information Home address 


Previous Home 
address 


Work History Employer Name/street 
address/city/province or 


state/postal code/country 


Biographical Information Paper and 


Electronic 


To assist in performing checks in 
determining eligibility in the program 


Employer telephone number 


Type of Occupation 
From Date/To Date 
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... Personal Information . Sub-Element - Four . . ofElement _ 
Biometric Information Iris Scan Iris Scan Electronic To identify clients upon entry into 
Photograph Photograph Canada as being a trusted member of 


the program. 


Credit Information Credit Card Credit Card Information Paper and To collect payment for inclusion in the 
Information Electronic program 
To record certification that application 


. | Signature Signature Signature Paper and Collected along with the credit card 
information provided is accurate 


Electronic information for payment purposes 
Criminal Checks/History Criminal Criminal History Information Paper and To determine eligibility in the program 
Checks/History Electronic 
Immigration enforcement immigration Immigration History Paper and To determine eligibility in the program 
history Checks/History Information Electronic 


New Fields for Trilateral Trusted Traveller Arrangement 


| 


Visa Number Paper and 
Electronic 


Other identification Numbers 
for Third Country Applicants 


Confirmation that 
an applicant is a 
member of their 
own trusted 
traveller program 
(done through 
GOES by U.S. CBP) 


To determine eligibility 


Visa Number Visa Number To provide proof of identity, citizenship, 
and to determine eligibility and 


admissibility in the program. 


Photocopy of Visa Photocopy of Visa 


Electronic Travel Authorization 
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Note: Category of personal information: TBS has developed a list of categories of personal information to simplify the process of describing personal information in 
Personal Information Banks (PIBs). It provides examples of categories and elements that can be used to summarize the personal information collected by most 
federal institutions. The CBSA ATI and Privacy Division has modified the list to better reflect CBSA business lines. The list can be found in Annex C. 


Personal information element: Identify each element of personal information collected (for example: 1) name, 2) home address). 


Personal information sub-element: Identify sub-elements associated with each element of personal information collected (for example: 1) first name / middle initial 
/ last name, 2) street name / street number / city / province /postal code). | 


Type of format: Identify how the personal information will be recorded: on paper, electronically, audio recordings, visual image recordings, human biological 
samples or other (specify). | | 


Purpose of the personal information: Indicate the purpose for which you are collecting these elements or sub-elements of personal information and how these are necessary 
for the program or activity (Note: "necessary" is a higher standard than merely being useful.) 
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| SECTION 4 - FLOW OF PERSONAL INFORMATION 


4.1. Information Systems 


In this section list and describe the information systems involved in the NEXUS application and 
processing work flows. For each system, describe the following: 

e Overall function of the system within CBSA 

e  Function/Use of the system within CBSA 

e Description of the personal information stored in the system related to NEXUS 

e How it is used to support the NEXUS Program 

e Restrictions within the system, such as user rights, read only, etc. 

e Audit capabilities 


Data Flow Model - Diagram 


Overview of the NEXUS 


Application and Enrollment 
Process 


Client Applies On-Line or 
by Mail-In Application 


U.S. Risk 
Asse nt 


U.S. Fail U.S. and Canada Pass Canada Fail 


Applicant may 


EDES SAL a Applicant may 
Natifenti ee il/ reques : GOES Status Notification Email/ request a review Rejection Letter 
o ddl. men Conditionally Approved Letter from CBSA Recourse (from CPC) 
Rejection Letter .S. . 
: Directorate 
Ombudsman a 
Client Schedules {via GOES) and 
attends Interview at Enrolment Centre 


Client interviewed by 
CBP and CBSA : 
eTombstone Information Reviewed 

Documents Authenticated 


U.S. Fail Canada Fail 


eFingerprinting (FBI Verification) 


U.S. and Canada Pass 


elris Capture (where available) 
eClient profile updated 
¢Member Education Provided 
eCard Print Request Submitted 


Membership card must be activated on 
GOES prior to passage 


Trilateral Trusted Traveller Arrangement: 

The only “change” here is that the US system will check with the Mexican DB to ensure that the applicant is in 
fact a member of their domestic program with a Yes/No confirmation. Third country nationals will not be able to 
apply through paper application. 
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Air Passage 


Diagram z: 
Passage (Entering Canada) 
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Trilateral Trusted Traveller Arrangement: 

The only changes in the highway passage will be that the member will need to validate their visa 
validity for visa-required countries and validate their eTA for air passage. Note, third country nationals 
do not receive benefits in the marine mode. 
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NEXUS - On-Line Application Flow 
Basic Nexus 


On-Line Application Flow 
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NEXUS - Paper Application Flow 
Basic Nexus E an. Enabling Marine Pa 


5 Update 
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REDRESS FOR TRUSTED TRAVELLER PROGRAMS 
SSS EU NW TED TRAVELLER PROGRAMS 


Client submits request for review of 
decision to reject their application or 
cancel their membership to the 

Recourse Directorate, Appeals 
Division 


Recourse Directorate, Appeals 
Division overturns eligibility 
| decision 


Recourse Directorate, Appeals 
Division upholds eligibility 
decision 


CPC reinstates the client (provided 
client meets all the eligibility criteria 
for participation in the program) 


Client is advised of their right to 
seek judicial review in the Federal 
Court of Canada 
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1. GEC/CPCS | 
NEXUS membership data is captured and stored on the CBSA’s GEC. GEC is a component within - 
the Integrated Customs System (ICS) that provides the key infrastructure component for the 
delivery of trusted traveller programs by capturing the application data. The personal information 
entered by the applicant is used by the CBSA to determine the eligibility of the applicant and to 
confirm their identity. The personal information elements are listed in Section 3. CPCS is the 
Canadian system that stores payment transactions for NEXUS. 


Audits and compliance checks are not regularly scheduled for user activity in GEC/CPCS, nor are 
there any plans to establish these measures in the future. 


The risk of unauthorized user activity in GEC/CPCS is minimal since modifications are tracked by 
user ID, time of the change, user profiles, and firewalls which restrict unauthorized access. 


Access to data records is determined through user profiles. User profiles are used to govern the 
control and administration of personal and payment information. Only system administrators and 
authorized CBSA maintenance personnel have access to all data for System maintenance 
purposes. The number of privileged maintenance users is kept to a minimum. These employees 
are security screened to the appropriate level and receive security awareness training. Moreover, 
users are limited to accessing only data and services for which they have been authorized. To 
ensure users are accessing information appropriately, log records are maintained of all user 
access and any modifications to an individual's record. These records may be used for audit 
purposes. 


2: Iris database 
An iris scan is performed at a NEXUS kiosk upon return to Canada. The scan at the kiosk is not 
stored by the CBSA; it is only matched with the stored iris that the CBSA would have taken at 
NEXUS enrolment. The purpose of the iris database is for identity matching. 


The Iris Matcher Server is an iris identification piece of technology. It manages the iris templates 
and iris comparison software. It is responsible for handling client kiosk requests to analyze irises 
and return an identifier associated with the request. 


The various components of ICS that are in play when the kiosk is accessed reside partially on 
the mainframe servers and partially on a WebSphere server. The components reside within 
a Secure area at Headquarters. 


3. Third Country Database 


No personal information is shared directly between the CBSA and the third country since the third 
country applicant applies directly through GOES who then sends the applicant's information to 
the CBSA through GEC for a NEXUS risk assessment (but only if the applicant is a member of their 
own domestic program). The same applies in reverse; a Canadian citizen who is a NEXUS member 
would apply directly to the third country program. The U.S. confirms the identity and NEXUS 
membership through a connection with the third country's IT system. 
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4. 
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NEXUS eGate | 

It was determined that the use of the NEXUS eGate would provide NEXUS members extended 
access to the NEXUS lane after scheduled hours of operation at the POE, without increasing risk, 
and providing flexibility in terms of resource management by giving BSOs the ability to perform 
other duties inside the office, while awaiting NEXUS traffic. The NEXUS eGate lane is operated 
remotely from inside the CBSA office at the POE. There are no information sharing considerations 
outside the regular operation of the CBSA. | 


NEXUS Kiosk Replacement and Expansion 


The Kiosk Replacement and Expansion Plan saw 86 new NEXUS kiosks being installed to address 
the ageing technology and kiosk relia bility issues. The new kiosks are equipped with document 
readers, dual printers and updated iris cameras and touch screens, which were purchased and 
implemented starting in fall 2014. This innovative solution has improved the NEXUS client 
experience and enhanced the integrity of the NEXUS program. There are no information sharing 
considerations outside the regular operation of the CBSA. 


Kiosk usage is recorded for complete passages, as well as incomplete passages (i.e. timeout of the 
session, irises not read properly, system error, session cancelled by traveller, inactive 


. membership, document reader failure) for identified members (date, location, screen message 


generated). In the case of an incomplete passage, NEXUS members would use the Special Services 
Counter. Complete and incomplete passages would be used for the purposes of auditing the 
frequency of these events. There is an audit trail of referrals that are stored in passage history in 
ICS. This database will only store one referral type per area i.e. one customs and/or one 
immigration referral type. However, it will store all reasons for the referral. 


The overall process of kiosk use remains the same: 


Kiosk processes one member at a time. 
The individual must be a NEXUS member before they can have access to the air passage 
process. | 

e Kiosks for entry to Canada recognize NEXUS members. Unidentified users are instructed 
to use regular lanes. 

e Members are allowed to use kiosks in any location in Canada where kiosks are available. 
Kiosks are located in the Customs Hall in Canadian international airports. 

e Passage must be accessible and operational 24/7. If the system is down NEXUS members 
may use the Special Services Counter to enter Canada. 

e Ability to provide passage clearance within a set amount of time, otherwise must direct - 
members to appropriate alternative process. 

e Member must carry a valid NEXUS card 

e Membership must be in "active" status. 

e The kiosk instructs the member ( using a video) on how to present their document to the 
reader. 

o Authorized document: NEXUS membership card. 

e The kiosk verbally and visually instructs the member on how to submit their iris biometric 

to confirm identity. | | 
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e Member must have a NEXUS membership card and an iris enrolment reference stored in 
the enrolment database to access the passage process at a kiosk; 

o Members with a permanent medical condition preventing the successful capture 
of their iris biometric will still be allowed membership in NEXUS. 

o Members meeting the above criteria are to have an 'active' membership status 
with a reason code indicating no biometric captured. 

o Members with a temporary medical condition preventing the successful capture 
of their iris biometric, such as cataract surgery, will be allowed membership in 
NEXUS same as above, but will be asked to return to an enrolment centre within a 
designated period of time (e.g. 6 months) to attempt another capture. 

e Membership validation via membership card is required to access the passage process at a 
kiosk. 

e At time of passage, the system displays passage questions' and prompts the member to 
answer each of them. 

e All members who are granted passage at the kiosk, are issued a receipt identifying the 
member's name, residency, membership ID, date & time of passage, kiosk ID and work 
location, and referral/release code. | 

o Fora particular identified member, save details of kiosk usage at a given date, time, 
work location, kiosk/lane. 
* Depending on transactions at passage and how the questions are answered, the member is 
referred to the appropriate authority with a printed receipt. 

e The system provides general kiosk usage statistics such as national usage for all kiosks, 
including on an individual member basis. | 

e Kiosk usage is recorded for complete passages, as well as incomplete passages (i.e. timeout 
of the session, irises not read properly, system error, session cancelled by traveller, inactive 
membership, document reader failure) for identified members (date, location, screen 
message generated). In the case of an incomplete passage, NEXUS members would use the 
Special Services Counter. Complete and incomplete passages would be used for the 
purposes of auditing the frequency of these events. There is an audit trail of referrals that 
are stored in passage history in ICS. This database will only store one referral type per area 
i.e. one customs and/or one immigration referral type. However, it will store all reasons for 
the referral. 

e Eastern timestamp is used when storing date time elements. Reports and retrieval of 
passage data should be in local time zone. Local time zone should be available for ad hoc 
reports. 

e Any Selected Other Government Departments (SOGD) questions which are in addition to the 
regular questions contained within Part A of the Declaration Card (E311 form), will, as 
required, be added to the Canada-entry kiosk questions. | 

e After kiosk passage has been successfully completed, the member will receive a kiosk 
receipt to present to a point officer to exit the Customs Hall. 

e Kiosk displays a screen message instructing the member to remove their membership card 
and receipt before proceeding to the designated area. | 

e The kiosk or receipt printer emits a warning sound i.e. continuous beep until the member 
has taken the receipt from the kiosk. 
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e An immigration referral is generated for immigration documents that have expired or are 
expiring within 10 days of passage. | | 

e Ifa kiosk passage cannot be completed for specifically defined reasons, the kiosk displays a - 
Screen message to direct the member to the a ppropriate designated area. 

e CBSA HQ designated program personnel sets the required referral codes. 

e Passage is only complete when the control/point officer makes a final decision. 


In terms of auditing, a BSO will add the identification, date and time to the following events and 
keep the information in a centralized location when the following stored data elements are 
viewed or modified, including client logon and logoff times: 


e Client information 
o Changes of saved personal data will be tracked 
o Changes to the personal information of the client - noting the date and time of the 
data change will allow for tracking what is changed since the past values are to be 
kept for a period of five years - 
o Each time the client account information is viewed by a program administrator, 
Audit Trail information will be retained 
e Risk Assessment | 
o Audit information retained for any client status updates 
e Communications 
o Audit information retained for e-mails sent to each individual 
O Bulletins posted 
e Schedule an Interview 
o Date and time and identification of when the schedule was made and, when 
applicable, cancelled | i 


6. Trusted Traveller CATSA Security Lines (TTCSL) 


A pilot of the TTCSL automated gate solution using RFID technology to validate NEXUS 
memberships, is being conducted at the domestic/international pre-board screening checkpoint 
at the Edmonton International Airport. At this pilot site, NEXUS members tap their card at the 
RFID reader on the eGate to confirm their membership is valid rather than visual card verification 
by a CATSA security officer (verification method performed at all other CATSA pre-board screening 
checkpoints that validate NEXUS members to access the TTCSL). The CBSA and CATSA jointly use 
RFID technology solely at the Edmonton International Airport pilot site and not at other CATSA 
screening checkpoints for NEXUS members accessing the TTCSL. When a NEXUS member uses the 
dedicated CATSA line at the Edmonton domestic/international pre-board screening checkpoint, 
he/she uses the RFID embedded in the card that will prompt a picture of the member associated 
with that card on a screen for a security officer to view and match the person using the CATSA 
line. If the screening officer deems it to be a match, the officer allows the member through the 
gate; if it is not a match, the person is sent to the regular security screening line. Nothing more 
than the person’s photo is displayed to the security officer in order to verify the NEXUS member 
at the CATSA line. After the photo is viewed by the screening officer, the CATSA information 
system permanently deletes the photograph. The CBSA has made in-house system changes to 
allow CATSA to ping the GEC database which houses NEXUS membership data. Signage has been 
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placed on top of the screen monitor that informs the passenger that CATSA will verify their NEXUS 
credentials with CBSA if the passenger uses the TTCSL. 


CATSA is planning to roll out an automated gate solution with NEXUS card validation functionality 
(RFID) at the new Calgary International Airport terminal in January 2017. 


The pilot is continuing in Edmonton and an MoU for the disclosure of NEXUS information to 
CATSA to enable CATSA to develop and maintain a TTCSL Automated Gate Solution with the CBSA 
has been developed. An SLA has also been signed between the CBSA and CATSA. Both documents 
expire on December 31, 2016. i" 


There is an audit of all requests and replies for the Enrolment Query Service. 


7. RFID 
In the NEXUS land mode, Vicinity RFID allows an RFID chip to be read within three to four metres 
of an RFID antenna. The antenna is activated to read the chip when a sensor is triggered by the 
approach of a vehicle in an RFID-enabled NEXUS lane. Once activated, the antenna reads the chip 
in the eligible RFID-enabled document presented by the vehicle occupants, retrieves a unique tag 
identifier (ID), and transmits it to CBSA systems. Chips in RFID-enabled travel documents that are 
not accepted under the Initiative will be automatically filtered out by CBSA systems. 


There is no personal information contained within the RFID chip except for the unique tag ID. 
When the unique tag ID is received by CBSA systems, a process is activated to send a request to 
the relevant secure database where it is validated, and the corresponding traveller tombstone 
information is retrieved. This information then populates the BSO's screen and a risk assessment 
is performed on the driver and any passengers. 


An IT update was made to the Integrated Primary Inspection Line (IPIL) Highway traveller 
processing application in October 2014, allowing NEXUS cards to be read by existing RFID-readers 
in flex lanes. 


Explanation of the process. 


Ensure that the work flows provide a description of the data elements and work flows. As reflected in 
the CBSA response to the OPC in Oct 2012: 

When a Canadian applicant applies to the NEXUS program, he/she can do so through either paper 
application in Canada or electronically through the U.S. GOES portal. Through paper application, the 
personal information collected on the form is entered manually in the Canadian GEC of the ICS which 
connects with the U.S. GES. This way, personal information provided by the applicant is provided to both 
governments for risk-assessment. Through an electronic application processed through GOES, the 
principle is very similar in the sense that the applicant provides his/her personal information by keying it 
into GOES which provides the information to both governments through its links to the U.S. GES which is 
linked to the Canadian GEC. On both the paper and electronic application forms there are Privacy 
Statements for Canada and the U.S. which describes the purpose for collecting the information and the 
fact that the information may be shared with other government agencies. 
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An applicant's personal information is risk assessed independently by Canada and the U.S. (see above 
for data elements checked and procedure used for the risk assessment in Canada). Therefore, no data 
elements or other personal information are disclosed to any U.S. agencies from the CBSA for NEXUS 
eligibility assessment purposes. Once the U.S. CBP has completed their separate eligibility assessment, 
they will simply provide a "Pass" / "Fail" indicator. After independent risk assessments, Canada provides 
the same indicator to the U.S. CBP. No reason(s) or rationale for a “Pass” or "Fail" is provided. 


The U.S. may disclose information in accordance with their privacy legislation. In the case of the CBSA, 
the disclosure must be in accordance with section 107 of the Customs Act and that in the case of the 
U.S. CBP, it must also be in accordance with the Freedom of Information Act (FOIA). Should there be a 
disclosure to third parties, it must first be done by obtaining the written permission of the sending 

country, except if the disclosure is done in order to obtain assistance from the third party on the 
assessment of an application. 


As part of the trilateral trusted traveller arrangement, third country nationals will only be able to apply 
to NEXUS electronically through the U.S. operated GOES. 


Identification Numbers 
Each NEXUS member is assigned the following unique personal identifiers: 


e CBSA (GEC system driven number) 
.* CBP (GES system driven number) 
e CPCS (payment transaction number when appropriate) 


These numbers are used to cross reference NEXUS clients across various databases to support the 
delivery of the NEXUS program as well as to eliminate duplicate applications/documents. 


An activity log is maintained of all transactions made on an individual's membership record. 


Risk Assessments 

Risk assessments are conducted prior to membership approval, at passage and again on a regularly 
Scheduled basis (once a year or on an ad hoc basis) during the term of a NEXUS membership. These risk 
assessments use personal information collected by other agencies, including law enforcement and other 
government departments to determine eligibility to participate and retain NEXUS program membership. 
During these risk assessments, an applicant's personal information is not disclosed to other Canadian 
Federal Government institutions. Rather, the CBSA uses the personal information such as surname, 
middle name, given name, maiden name, DOB, and address to query information from other 
institution’s databases to which the CBSA has access. The CBSA also queries its own databases. For all 
searches, the least amount of information is entered into the search function of the database being 
used. 


Specifically, four databases are queried during the risk assessment Stage: 


1. IBAS 
2. CPIC 
3. ICES 
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4. NCIC 


These databases reveal if the person has any recorded violations/contraventions of any of the program 
legislation enforced by the CBSA, in particular the IRPA, the Customs Act, the Criminal Code of Canada, 
and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) which may 
exclude the applicant from the program. The NEXUS terms and conditions are found at the following 
link: http://www.cbsa-asfc.gc.ca/prog/nexus/term-eng.htm| 


NCIC is the U.S. equivalent to CPIC, which houses wants/warrants and criminal records, and is used by 
the CBSA to determine if a crime committed or a want/warrant issued in the U.S. would be equivalent 
(in terms of seriousness) in Canada. For example, certain crimes in the U.S. that may not be considered 
serious enough to exclude an applicant from the program in the U.S. may be considered a serious crime 
in Canada, and vice versa. 


Credit Card Information 

Applicants have the option of paying for the application processing fee by way of a credit card. This 
option also requires the applicants! consent. Credit card information is maintained in the CPCS. Access to 
this sensitive financial information is limited to CBSA users involved in membership enrolment, status 
updates, renewals, and monitoring of NEXUS program trends by headquarters staff. Each user is 
assigned an identifier and all transactions are logged. As well, Canadian residents who use a Traveller 
Declaration Card (TDC) voluntarily provide their credit card information when submitting their TDC. The 
CBSA's Policy on the Retention of Payment Card Information for Trusted Traveller Programs is attached 
at Schedule J. | 


Credit card information collected by the CBSA when a paper application is processed is not shared with 
any other business application at the CBSA or other government department. Likewise, CBP does not 
share the credit card information with the CBSA when this information is provided via the GOES on-line 
application. 


Biometric Information | 

Biometric information is collected at the time of enrolment. The iris scan is used to identify the member 
at air passage. A photograph is also used to identify the member at land passage and during the eGate 
pilot. Fingerprints are collected by the U.S. CBP to verify the identity of the member during initial 
enrolment, renewal or re-enrolment. These fingerprints are not shared with the CBSA. 


The personal information collected to determine membership eligibility includes biometric data and it is 
captured at two points: at enrolment, and again at each passage. A record of the iris image captured at 
enrolment is retained in the Iris Storage Database. The passage image is a transitory record used to 
compare against this stored image to establish a match. No new iris biometrics are collected at time of 
membership renewal. As part of the NEXUS enrolment process, an applicant interview takes place 
where both the CBSA and CBP are represented. This interview process consists of a review of all 
documents for authenticity, of client contact information and an explanation of the reporting 
requirements for each of the interviewers' respective countries. Notes may be made in the general note 
area of GEC and GES of each respective country. 
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Notice 
The individual must sign a statement of consent on the application form to the collection, use and 


sharing of personal information, or indicate agreement to a statement of consent if using the online 
enrolment system. Consent is also obtained on the TDC form. With respect to minors, there is a 


Pursuant to sections 7(2) and 7(2.1) of the Presentation of Persons (2003) Regulations, a person may 
apply for an authorization (e.g. NEXUS card) on behalf of a child who is under 18 years of age or on 

behalf of a person over the age of 18 who has a mental or physical disability, respectively. Should an 
applicant mentioned above pass the initial application process, the person applying on behalf of the 


The NEXUS website (www.nexus.gc.ca) does provide information on using a third party representative 
to apply for the program. 


As reflected in the CBSA's October 2012 response to the OPC, the Privacy Notice Statement (PNS) for the 
NEXUS application has been modified to provide a more thorough description of the legal authority and 
uses of information provided to the CBSA by applicants. The revised PNS is as follows: 


Canada's Privacy Statement | 

The information you provide in your application, including supporting 
documentation and biometric data, is collected by the Canada Border Services 
Agency (CBSA) and is protected pursuant to both the Customs Act and the 
Privacy Act. In accordance with Canadian laws and regulations, this information 
will be shared with other government departments or agencies in Canada and 
the United States of America for the purpose of the operation of the NEXUS 
program and to conduct applicable checks and verifications to determine your 
eligibility and continued eligibility in the NEXUS program. If the required 
information is not provided, your application may not be processed and the 
authorization may not be granted. 


Individuals to whom the information relates have rights of access to, correction 
of and protection of, their personal information under the Privacy Act. The 

information collected is described in Personal Information Bank # CBSA PPU 

031. Instructions for obtaining information are provided in Info Source, which 

is available at public libraries, government public reading rooms and on the 

Internet at: http:// infosource.gc.ca 
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Correction of Information: 
Currently, when a NEXUS member wishes to correct or update their membership information (e.g. 
change in address or name) they may: 


e Request the correction/update via GOES; 
e Contact an official working at a NEXUS EC or CPC to request the correction or update; or, 


e Submit a renewal/re-application that contains corrected/ updated information. 


4.2. Audit of NEXUS Use 


Each time that NEXUS membership is modified in ICS, an audit trail is established that tracks user 
identification, date modified and field(s) modified. An audit trail is not recorded when data is 
merely accessed for review purposes; privacy risks of an unauthorized person accessing the 
system are minimized through security and training given to authorized ICS users. Compliance 
reviews are not currently being done to determine if authorized ICS users are accessing NEXUS 
membership information. Nevertheless, with the safeguards in place, the risk of compliance being 
abused or misused is considered minimal. 


There is also an audit of CATSA use. 


4.3. Retention of NEXUS Data | | 
The retention period for NEXUS information, in line with the Privacy Act and its regulations, 
Canada Evidence Act and Customs Act, is as follows: 


e Electronic and paper applications are destroyed according to the following schedule: 

o Refused applications for NEXUS: The application forms and accompanying 
documents will be destroyed two years after the redress period has expired if 
there has been no request for redress. This information is kept in order to satisfy 
Privacy Act requirements to keep personal information for two years following 
the last administrative use, and to allow the refused applicants the opportunity 
for redress. | 

o Successful applicants for NEXUS: All paper application forms are scanned and then 
destroyed in accordance with the CBSA Records Retention and Disposition policy. 
Payment forms are not scanned and all physical copies are stored securely in case 
of payment dispute/refund request as per standards governing the handling of 
financial documents. The application form and electronic copies will both be 
destroyed six years after the date on which an application is approved. The 
retention period for the accompanying documents is still under development. 


e Biometric information will be destroyed according to the following schedule: 
o Refused applicants to NEXUS: Failed applicants will not be asked to provide any 
biometric data. 
o Successful applicants to NEXUS: Only approved members are required to provide 
a photograph, and fingerprints (which are collected only by the U.S. CBP and are 
not shared with the CBSA). The iris biometric is optional, as this biometric is only 
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useful if the member wishes to use self-serve kiosks in airports. The retention 
period for the photograph and the initial iris scan taken at the time of enrolment 
is four years following the last time the information was used for an 
administrative purpose. Iris templates used to identify a member at time of 
passage are kept for a period of two years following each passage. 


e With respect to kiosk receipt following the use of the self-service kiosks in the airports, it 
has been established that the CBSA does not have a legal obligation to retain the printed 
kiosk receipts because the receipt information is electronically collected. 


The personal information described above is not shared externally. 


A retention policy on Trusted Traveller Program's application forms has been developed as part of 
the Policy on the Retention of Payment Card Information (Schedule J). User activity of GEC and 
the CPCS within the CBSA can be monitored since the user making the modifications to data and 
the date and time of the modification are logged. Firewalls are used to protect the integrity of the 
data storage. Once information is modified by either the CBSA or the U.S. CBP, this information 
will be updated to other agencies' internal systems. 


Audit records are retained and disposed of according to CBSA information management policies, 
and specifically Government of Canada multi-institution disposition authorities and CBSA 
institution-specific disposition authorities. 


4.4. Data Flow Model - Table 


SOURCE — 


The individual or a representative 


Individuals participating in the program 
RCMP - Information Centre Database (RCMP 
PPU 005) 


IRCC - Interdiction Border Alert System (CIC 
PPU 042) 


CATSA — Boarding Pass Security screening (CATSA 
PPU 100) 


| A federal government institution (identify from 
what PIB the information is obtained) 


- Provincial Government 


- Organization of a Foreign State U.S. CBP 


U.S. Government Printing Office (for the printing of 


the NEXUS card) 
Canada Border Services Agency 
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Private Sector = 


Located in Canada and Canadian Owned 


- Located in Canada and Foreign Owned 


- located abroad and Foreign Owned 


4.5. Internal Use and Disclosure 20 
Where will the information circulate within the CBSA? Identify any related programs or activities and 
personal information banks as identified in the CBSA Info Source chapter. 


Travellers Programs: 
NEXUS 
Trusted Traveller Processing 


CBSA PPU 031 
CBSA PPU 1101 
Integrated Customs Enforcement System CBSA PPU 016 


Enforcement and Intelligence Operations 
Directorate 


CBSA PPU 018 
CBSA PPU 005 
CBSA PPU 1104 


Enforcement and Trade Appeals 
Operations — Overt Audio-Video Surveillance 


4.6. External Use and Disclosure 


The individual or a representative 


RCMP PPU 005 
CIC PPU 042 
CATSA PPU 100 


RCMP - Information Centre Database 
IRCC - Interdiction Border Alert System 
CATSA — Boarding Pass Security Screening 


| Non-federal institutions and private sector 


U.S. CBP/ U.S. GPO 


- Provincial Government 


- Municipal Government 


- Aboriginal Government / Council 


- Organization of a Foreign State 


International Organization 


Private Sector - PR | 


- Located in Canada and Canadian Owned 


- Located in Canada and Foreign Owned 
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- Located abroad and Canadian Owned 


- Located abroad and Foreign Owned 


4.7. Retention / Storage 


A federal government institution 


A Federal Records Centre 


Back-up tape (3"x 3" disc) is physically stored 
with Library and Archives Canada for 6 years 


Non-federal institutions and private sector — 


- Provincial Government 


- Organization of a Foreign State | | U.S. CBP 
U.S. GPO 
Mexico's Instituto Nacional de Migracion and 
the UK Border Force (no personal 


information is shared between the CBSA and 
these other organizations) 


International Organization 


Private Sector 


Located in Canada and Canadian Owned 


- Located in Canada and Foreign Owned 


- Located abroad and Canadian Owned 


- Located abroad and Foreign Owned 


t 
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4.8. Other Possible Considerations 
Identify the areas, groups and individuals who access and handle the personal information: 


The CBSA re for program or activity: 
There are 1,762 CBS/ officers that have acc CC 
responsible for the program or art. P o B 


| Positions Who have re ess m uset ME | Te Pv : iphi a Fr 
personal inforr ration where x. cd us nte 
_ appropriate) | 


Border Services Offi icers at any of 
Canada's eight international 
airports and Billy Bishop Toronto 
City Airport and at land ports of 
entry 
Program and Policy some Managers, Senior Program 
Management Division Advisors and Senior Program 
Officers to respond to internal 
queries or from the public 
Some Managers, Senior Program 
Advisors and Senior Program 
Officers for production support 
purposes and troubleshooting; 
Help Desk inquiries 
Senior Program Advisors, Senior 
Program Officers and Junior 
Program Officers 


ral government Institution responsible for program or act vi ty: (one table per institution: 


ify F6 "OL ips or Areas /« or 2» 
Divisions _ ! "os 


Vancouver, Calgary, 
Edmonton, Winnipeg, 
Ottawa, Toronto, 
Montreal, Halifax and at 
NEXUS land POEs 


National Capital Region 


National Capital Region 


ee LG CBSA 


Business Systems Integration 
Division 


National Capital Region 


Stakeholder Engagement & 


National Capital Region 
Outreach 


: Non | Federal Institution or Private , Sec or: ‘name’: (one table | pe ri nstitution) : P E pu EAD 
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SECTION 5 - PRIVACY COMPLIANCE ANALYSIS 


Has a legal authority been iden tified for the collection of personal information for this program or 
activity? | | 


Statutory reference: Section 4 of Privacy Act (Section 4 has been interpreted to mean that a legal 
authority must be established for a collection of personal information, but section 4 does not provide 
legal authority for such a collection). 

Policy reference: Section 6.2.6 of Directive on Privacy Practices 

Yes 


1.1 Specify the legal authority and briefly explain its connection to the program or activity or how it 
permits the collection of the personal information: 


**Ensure that the legal authority to collect the personal information is cited in the relevant PIB and in 


"Section 1 — Overview and PIA Initiation" above. 
p E 


b Um 


zt 


ectly related to an operat 


B 


1.3 [x] Isthe personal information collected dir ng program or activity 


- Continue to Question 2 


No 


1.3 [] If there is no legal authority for the collection of personal information, it cannot be collected. 
Please consult your legal advisor to determine if there is authority to proceed with the program 
or activity. **The PIA process must not continue without this key information.** 


Is each element and sub-element of personal information collected or to be collected necessary to 
administer the program or acti vity? | 


Statutory reference: Section 4 of Privacy Act 
Policy reference: Sections 6.1.1, 6.1.3, 6.1.4, 6.2.7 and 6.2.8 of Directive on Privacy Practices 
YES 


2.1 Ensure that all personal information necessary to administer the program or activity is listed in 
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the relevant PIB. 


**Personal Information Bank (PIB) should be found within "Section 1 — Overview and Initiation" 
above** 


2.2 [X] AND, implement controls and procedures to ensure the CBSA does not collect more personal 
information than is necessary for the identified program or activity and that a continuing need 
exists for that information or its collection. 


**Ensure to provide the "controls and procedures" as an annex to this PIA** (Annex D) 

2.3 Are secondary uses contemplated for the information collected? 

**Treasury Board defines a "Secondary Use" as a purpose that is not consistent with the original 
purpose of the collection.** 

[ ] YES [X] NO (Continue to Question 3) 


**|f you've selected "Yes" to Question 2.3 above, please note that Consent is required for ail 
"Secondary Uses". Please ensure that a "Consent Statement" is created. Please refer to “4. Direct 


Collection - Notification and Consent (as appropriate)" below for the information required in a 


"Consent Statement".** 


2.3.2 If not, is there authority for the use or disclosure of the personal information? 


**Please ensure that the Legal Authority identified above allows for ail uses and disclosures of the 
personal information.** | | 


YES | ]NO 
— Continue to Question 3 
NO 


2.4 [] Review the proposed elements and sub-elements of personal information outlined in “Section 3 
- Analysis of Personal Information Elements" to identify those that are "necessary" and not 
merely useful. Document any changes. 


Is the collection of the Social Insurance Number (SIN) necessary to administer the program or activity? 


Statutory reference: Section 4 of Privacy Act 


Policy reference: Section 6.2.13 of Policy on Privacy Protection and sections 6.1.1 and 6.2 to 6.4 of © 
Directive on Social Insurance Number | 


Also see "Guidance for Preparing Information-Sharing agreements Involving Personal Information" and 
"Taking Privacy into Account Before making Contracting Decisions" 


YES 


3.1 [ ] Collection of the SIN must be in compliance with the Directive on Social Insurance Number 
| (please check all appropriate boxes below): 
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3.2 [ ] State legal authority for collecting the SIN: 


.. OR, in the absence of a legal authority to collect the SIN: 

3.3 C] Establish explicit authority through legislative amendment(s). 
3.4 [_] Establish legal authority as outlined in the Directive on Social Insurance Number. 
AND, if disclosure of the SIN by the CBSA is to occur on a routine or Systematic basis 


3.4.1 [_] to another federal institution that is authorized to collect it, or to another level of 
government, establish an agreement or arrangement that includes specific provisions to 
limit the use of the SIN. | 


._ 3.4.2 [ ] to a contractor or other external service provider, establish a contract that includes 
specific provisions to limit the use of the SIN. 


3.5 [.] AND, ensure that the relevant PIB for the program or activity states the authority under which 
the SIN is collected and the purpose for which it is used. | | 


— Continue to Question 4 


NO 


3.6 The SIN is not necessary and it will not be collected, used or disclosed to administer the 
program or activity. 


— Continue to Question 4 


— 


Is personal information collected directly from the individual to whom it relates? 


Statutory reference: Sections 4 and 5 of Privacy Act 


Policy reference: Sections 6.1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and section 
6.1.2 and 6.4.1 of Directive on Social insurance Number 


YES 


4.1 A "Privacy Notice" (adapted for either verbal or written communications) must be provided to 
the individual at the time of collection and it must include the following elements: 


a) The purpose and authority for the collection 
b) Any uses or disclosures that are consistent with the original purpose. 


c) Any uses or disclosures that are not related to the original purpose 


(This element need only be included when additional uses or disclosures on a regular basis are 
contemplated at the time of collection for a purpose other than the original purpose or a 
consistent use, in which case a "Consent Statement" may need to be added to the "Privacy 
Notice" — see below for "Consent Statement" elements.) 


d) Any legal or administrative consequences for refusing to provide the personal information 


e) That the "individual to whom the information relates" has rights of access to, correction of 
and protection of personal information under the Privacy Act. 


f) Areference to the PIB for the program or activity 
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(This element need only be included when the notice is to be given to the individual in writing.) 


**For a copy of the CBSA Privacy Notice and Consent Statement template, contact the ATI 
and Privacy Division.** 


g) Why the SIN is collected, how it will be used and the consequence of not providing it. 


(This element need only be included when the SIN is being collected — refer to “3. Authority For 
the Collection, Use or Disclosure Of the Social Insurance Number" above.) 


AND, add a "Consent Statement" to the "Privacy Notice" as appropriate, if the personal 
information is to be used or disclosed for a purpose other than the original purpose (Secondary 
Use) or a consistent use, or, to authorize indirect collection of personal information. 
4.2 [X] The "Consent Statement" must include the following elements: 
a) The purpose of the consent and the specific personal information involved. 
b) In the case of indirect collections, the sources that will be asked to provide the 


information. (This element need only be included when personal information is to be collected 
from another source e.g., person or organization with the consent of the individual) 


c) Uses and disclosures that are not consistent with the original purpose of the collection and 
for which consent is being sought. 


(This element need only be included when the individual's consent is sought for a secondary 
use or disclosure that is not consistent with the original purpose for which the information is 
collected. To find out if the individual's consent is necessary for such a use or disclosure, please 
consult the ATI and Privacy Division) 

d) Any consequences that may result from withhold ing consent. 

e) Any alternatives to providing consent 
**For a copy of the CBSA Privacy Notice and Consent Statement template, contact the ATI 
and Privacy Division** 


4.3 [X] AND, implement controls and procedures to ensure that the CBSA keeps a record documenting 
whether or not an individual provided consent when it was sought, including a record 
documenting any withdrawal of consent when applicable. | 


**Ensure to provide the "controls and procedures" as an annex to this PIA**(Annex E) 


— Continue to Question 5 
NO 
4.4 [ ] The personal information necessary for the program or activity is not collected directly from the 


individual. It is collected indirectly, for example, from another program within the CBSA, or 
from another institution, government or third party. 


— Continue to Question 5 


Is personal information collected indirectly from another source with the informed consent of the 
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individual to whom it relates, or from a person authorized to act on behalf of the individual pursuant 


to section 10 of the Privacy Regulations? 


Statutory reference: Sections 4 and 5 of Privacy Act and section 10 of Privacy Regulations 


Policy reference: Sections 6. 1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and sections 
6.1.2 and 6.4.1 of the Directive on Social Insurance Number 


YES 


5.1 The notice and consent requirements stated at Question 4 apply. Please provide the "Privacy 
Notice" and/or "Consent Statement" below: 


Canada’s Privacy Statement 

The information you provide in your application, including supporting documentation and biometric 
data, is collected by the Canada Border Services Agency (CBSA) and is protected pursuant to both the 
Customs Act and the Privacy Act. In accordance with Canadian laws and regulations, this information will 
be shared with other government departments or agencies in Canada and the United States of America 
for the purpose of the operation of the NEXUS program and to conduct applicable checks and 
verifications to determine your eligibility and continued eligibility in the NEXUS program. If the required 


information is not provided, your application may not be processed and the authorization may not be 
granted. 


Individuals to whom the information relates have rights of access to, correction of and protection of, 
their personal information under the Privacy Act. The information collected is described in Personal 
Information Bank # CBSA PPU 031. Instructions for obtaining information are provided in Info Source, 
which is available at public libraries, government public reading rooms and on the Internet at: 
http://infosource.gc.ca. | 


Consent Statement 

| understand that any information gathered for the purposes of this application, including any 

supporting documentation, background information, biometric data and information obtained from the 
relevant files of law enforcement agencies, including intelligence gathered for law enforcement 

purposes, will be used for the purpose of the operation of the NEXUS program and to conduct applicable | 
checks and verifications to determine eligibility and continued eligibility in the NEXUS program as 
described in the Presentation of Persons (2003) Regulations. My contact information may also be used 

by the CBSA to send me notifications related to changes to the NEXUS program. 


In addition, | understand that my personal information gathered for the purposes of this application, 
including my supporting documentation, background information, biometric data, and any other 
information obtained and collected for the purpose of the operation of the NEXUS program and to 
conduct applicable checks and verifications to determine my eligibility and continued eligibility in the 
NEXUS program, may be accessed and used by the CBSA, as well as by other government departments 
or agencies in Canada (including the Royal Canadian Mounted Police and the Canadian Security 
Intelligence Service), in accordance with the Privacy Act. | 


In addition to the above-noted use by the CBSA and other Canadian government departments and 
agencies, | also understand that the CBSA will share Its determination of my eligibility to the NEXUS 
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program, based on Canadian criteria, with the United States Department of Homeland Security ("DHS"). 
The DHS will, in turn, disclose to the CBSA its determination of my eligibility based on the American 
criteria. | 


If you do not consent to the above-noted collection, use and sharing of your personal information, your 
application cannot be processed and an authorization cannot be granted. | 


Do you consent to the above noted collection, use and sharing of your personal information AND do you 
certify that all the information given on this application, and in support of this application, is provided 
voluntarily and is true, accurate and complete, and that you have read, understood, and agree to abide 
by all conditions applicable to the program to which you apply and to the use of the associated 
authorization, including all instructions and notices accompanying this application? o Yes o No 


5.2 AND, implement controls and procedures to ensure the CBSA keeps a record documenting 
whether or not an individual provided consent when it was sought, including a record 
documenting any withdrawal of consent when applicable. 


**Ensure to provide the “controls and procedures" as an annex to this PIA**(Annex E) 


5.3 Dx] AND, if information is being collected from persons authorized to act on behalf of minors, 
incompetents or individuals who have been deceased for less than 20 years, implement 
appropriate mechanisms to ensure that such persons are authorized to act on behalf of 
individuals who do not have the capacity to provide consent. 


**Ensure to provide the "mechanisms" as an annex to this PIA**(Annex E) 


Note: With respect to minors, there is a standard mechanism in place to ensure the recognition of 
persons authorized to make decisions on behalf of others. The NEXUS application form states, 
"If applying for a child under 18 years of age, you must ensure that you provide documentary 
evidence that you have authority to apply on behalf of the child and that a photocopy of all 
legal documents regarding custody are submitted." In such circumstances the parent or 
guardian will present this documentary evidence to the CBSA and U.S. CBP officers during the 
interview at the EC. The NEXUS website (www.nexus. gc.ca) does provide information on using a 
third party representative.to apply for the program. 


— Continue to Question 6 


NO 
5.4 L] — Continue to Question 6 


Is personal information collected from another source without notice to or consent from the 
individual to whom the information relates? 


Statutory reference: Sections 4, 5, 7 and 8 of Privacy Act and section 10 of Privacy Regulations 
Policy reference: Sections 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices, section 6.2.15 of the 
Policy on Privacy Protection and sections 6.3.2 and 6.3.3 of Directive on Privacy Impact Assessment 


YES 
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6.1 [ | Where information is collected indirectly under any of the following circumstances without 


notice to, or consent from, the individual to whom it relates, please check the applicable boxes 
and explain as requested: 


[ ] a) The collection is a result of a disclosure to the CBSA under subsection 8(2) of the Privacy 


Act. State the applicable paragraph(s) of subsection 8(2) and provide a brief 
explanation for each: 


[ | b) Direct notification of the individual might result in the collection of inaccurate 
information, or might defeat the purpose or prejudice the use for which the 
information is collected. Briefly explain why notice is not provided: (For example, 
certain kinds of lawful investigation might be jeopardized if the investigators were 
required to notify the individuals who were the subjects of the investigations before 
collecting information indirectly from other sources.) 


[ ]c) The information involved in the program or activity is to be used solely for a non- 
administrative purpose in which no decisions are made about the individuals to whom 


the information relates. (This includes research, statistical, audit or evaluation 
purposes.) 


6.2 L] AND, if any of the circumstances in a) b) or c) is applicable, ensure that it is reflected in the 
relevant PIB. | 


6.3 [ ] AND, if the information is to be used solely for a non-administrative purpose (box c above has 
been checked), ensure that the requirements under sections 6.3.2 and 6.3.3 of the Directive on 
Privacy Impact Assessment have been met, and that the decision of the official responsible for 
section 10 of the Privacy Act to proceed with a CBSA PIA for the program or activity has been 
adequately documented in the description of the program or activity in "Section 1 - Overview 
and PIA Initiation" of the CBSA PIA. 


6.4 [ ] OR, if none of the circumstances in a) b) or c) is applicable, then the personal information must 
be collected directly from the individual, or indirectly with the consent of the individual. Please 
review the responses to Questions 4 and 5 and ensure that the "Privacy Notice" or the 
"Consent Statement" includes all of the required elements within Question 4. 

—> Continue to Question 7 | 
NO 
6.5 All personal information is collected directly from the individual to whom it relates, or 


. from another source with notice to, or consent from, the individual or a person authorized to 
act on behalf of the individual (see Questions 4 and 5 above).— Continue to Question 7 


HI ana vis 255.24 I A PS SUG DIINPENTIQREUIT 


Has Library and Archives Canada approved a records retention and disposal schedule that applies to 
the personal information? (Consult Information Management officials to determine the authority to 
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retain and dispose the personal information and provide the relevant details below. ] 


Note: Information Management has indicated that Library and Archives Canada does not approve 
retention and disposition schedules. That is an internal process that involves the OPI and IM Operations 
(ISTB-EAIM-EIMD-IM Operations). CBSA business determines and approves retention schedules. 


The Information Management Unit must approve answers to this section. 


Statutory reference: Section 12 of Library and Archives Canada Act, sections 6, 10 and 11 of Privacy Act 
and section 4 of Privacy Regulations 
Policy reference: Sections 6.1.3, 6.2.11 to 6.2.13 and 6.2.23 of Directive on Privacy Practices 

YES 


7.1 Please identify the Record Disposition Authority (RDA) and describe the retention and disposal 
schedule: (For example, RDA Number: 79/002, records are retained for 10 years -- active for 
five and dormant for five. Destruction through agreement with Library and Archives Canada.) 


a 


7.2 [x] AND, implement controls and procedures to ensure that personal information used to make a 
decision that directly affects an individual will be retained for a minimum of two years after the 
last administrative action or, where a request for access to the information has been received, 
until such time as the individual has had the opportunity to exercise all his/her rights under the 
Act. (For example, the information must be retained for at least two years after the CBSA ATI 
and Privacy Division responded to the request. If the requestor complains to the Privacy 
Commissioner, the information must be retained for at least two years following the 
Commissioner's finding on the complaint. If the finding is reviewed by the Federal Court, then 


the information must be retained for at least two years after that review is completed, and so 
on.) 


**Ensure to provide the “controls and procedures” as an annex to this PIA**(Annex F) 


7.3 AND, if the CBSA intends to dispose of personal information that has been used for an 
administrative purpose prior to the expiration of the two-year minimum retention standard 
established by the Privacy Regulations, it must obtain the consent of the individual to whom 
the information relates before doing so. (This may occur if, for example, within the two year 
period it is determined that the information is incorrect and that the most appropriate means 
of correction is disposal, or if the information is no longer required. The consent of the 
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individual to dispose of the personal information must be obtained in writing.) 


74 AND, the CBSA must cite the RDA number, the retention period and the disposition standards 
for the personal information in the relevant PIB. 


— Continue to Question 8 
NO 


7.5 [ ] Provide a Records Disposition Submission to Library and Archives Canada describing the records 
containing the personal information for which the institution requires a RDA. 


7.6 [_] AND, obtain a RDA from Library and Archives Canada to allow the CBSA, under certain 
conditions, to dispose of records that no longer have operational utility for the program or 
activity. | 

7.7 C] AND, ensure that all the other applicable requirements listed under "YES" at Question 7 are 
met. 


—> Continue to Question 8 


Will measures be adopted to ensure that personal information used by the CBSA for an administrative 
purpose is as accurate, up-to-date and complete as possible? 


Statutory reference: Sections 6, 10 and 11 of Privacy Act and sections 10 and 11 of Privacy Regulations 
Policy reference: Sections 6.1.1 and 6.2.9 to 6.2.16 of Directive on Privacy Practices 
YES | 
8.1 [X] Please check any of the following measures that will be adopted to ensure accuracy of the 
personal information and provide details as requested: 

8.1.1 [X] Personal information will be collected directly from the individual to whom it relates or it 
will be validated with the individual or a person authorized to act on behalf of the 
individual. 

8.1.2 Dx] A data-matching process will be used to verify the accuracy of personal information against 


a "reliable source" (within or outside the CBSA) where this is authorized, or where consent 
was obtained. | 
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= E 


8.13 [ ] In cases where direct collection or consent is not feasible, the CBSA will obtain information 


from trusted sources (public or private) and verify accuracy against existing personal 
information before use. | 


81.5 [ ] Other 


8.2 [X] AND, if measures are adopted other than "direct collection or validation with the individual or 
with a person authorized to act on behalf of the individual", the CBSA must implement 
appropriate controls and procedures to ensure that: 


a) the technique(s) and the specific source(s) used to validate or update the personal 
information are documented; 


b) individuals are given the opportunity, whenever possible, to request correction of any 
inaccurate personal information before the information is used in a decision-making 
process that affects them; 


c) personal information can only be modified or corrected by those within the CBSA who have 
the authority to do so; 


d) when personal information is corrected or annotated, the record of personal information 
indicates the date of the last correction or annotation and the source of the information 
used to make the correction or annotation; and 


d) when personal information is corrected or annotated, other authorized holders of the 
information are notified about the correction or annotation and that all copies of the 
information in the possession of the CBSA are corrected / annotated. 


8.3 [X] AND, if appropriate, ensure that the "Privacy Notice" or "Consent Statement" and the relevant 
PIB are amended to identify the data-matching activity including the source(s). 
— Continue to Question 9 
NO 
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— Continue to next Question 9 
**Ensure to provide all relevant "controls and procedures" implemented as a result of the above 


requirements as an annex to this PIA**(Annex G) 


Will the personal information collected for the program or activity be used solely for the original 
purpose for which it was obtained or compiled, a use consistent with that purpose, or a purpose for 
which the information was disclosed to the institution pursuant to subsection 8(2) of the Privacy Act? 


Statutory reference: Sections 5 and 7 to 11 of Privacy Act 
Policy reference: Sections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices, 
section 6.2.15 of Policy on Privacy Protection and Section IV of Appendix C of Directive on Privacy Impact 
Assessment 

YES 


9.1 Implement controls and procedures to ensure that access to the personal information for such 
purposes will be limited to authorized individuals who need to know the information to 
perform their official duties. (Identify the work positions within the program or activity that 
have a valid reason to access and handle the personal information, and limit access to 
individuals occupying those positions.) See Section 4.6 (Other Possible Considerations) 


9.2 [X] AND, ensure that the “Data Flow Diagram" or "Data Flow Tables" completed for "Section 4 — 
Flow of Personal Information" of the CBSA PIA identify the areas, groups and individuals (e.g., 
the positions) within the CBSA who have a need-to-know to access to or handle the personal 
information, including their geographical location and where the personal information will be 
Stored or retained. (See Section IV of Appendix "C" of Directive on Privacy Impact Assessment 
for a list of elements that must be included in the data flow diagram or data flow tables.) 


9.3 [X] AND, if the purposes for which the personal information is used includes any use(s) of the 
information for a non-administrative purpose, (such as research, statistical, audit and 
evaluation purposes) the CBSA will adhere to the requirements and principles in the CBSA 
Privacy Protocol For Non-Administrative Purposes (2012), in accordance with section 6.2.15 of 
the Policy on Privacy Protection, to address any impact that such non-administrative uses may 
have on privacy. 


—? Continue to Question 10 
9.4 AND, ensure the use of personal information is compliant with CBSA's Privacy Code of Ethics. 


Note: Personal information data will be used for the purposes for which the CBSA originally 
collected the data, that is, to make a determination on the applicant for membership eligibility 
either during initial enrolment or at membership renewal as well as for the administration of the 
individual's membership record during the period of their participation in the program. For example, 
personal information is used to compare transitory iris images captured at passage in the air mode 
to establish a match for identity purposes. Disclosure of information for other reasons is only 
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undertaken pursuant to section 107 of the Customs Act and in accordance with the CBSA Policy on 
the Disclosure of Customs Information (see Schedule H). Biometric information captured during 
enrolment (e.g. iris scan), is used to identify the member during air passage. Individuals are not 
required to provide their iris biometric if they do not intend to travel by air. 


**Ensure to provide the "controls and procedures" as an annex to this PIA**(Annex H) 


NO 


9.5 [] Identify below any other uses of the personal information, in other words, any routine uses that 
are not directly related to the purpose of the collection, or, which are not consistent with that 
purpose or for which the information was disclosed to the CBSA pursuant to subsection 8(2) of 
the Privacy Act: | 


9.6 [ | AND, ensure that these other uses are reflected in the relevant PIB. (In accordance with 
subsection 9(1) of the Privacy Act, if these other uses are not described in the PIB in CBSA Info 
Source, the CBSA is required to record each use on the individual's file. Describing them in the 
PIB is, therefore, a far more efficient practice — see Question 11.) 


EN 


9.7 [C] AND, include a description of these other uses in the “Privacy Notice” or “Consent Statement”, 
as appropriate, 


[ ] AND, ensure the all the other applicable requirements listed under "YES" at Question 9 are 
met. 


—? Continue to Question 10 


Will personal information be disclosed for purposes directly related to the administration of the 
program or activity? (This includes, for example, disclosures to other programs within the CBSA, other 
federal institutions, other governments, international organizations, private sector organizations or 
individuals.) 


If there are new or modified MOUs or ISAs as part of the program, the IMU must be consulted and the 
IMU must approve/endorse the responses to this question. | 


Statutory reference: Sections 5 and 8 to 11 of Privacy Act. 


Policy reference: Sections 6.2.10, 6.2.11 and 6.2.13 of Policy on Privacy Protection, sections 6.2.1 to 
6.2.3 of Directive on Social Insurance Number, sections 6.1.9, 6.2.9 to 6.2.13 and 6.2.15 to 6.2.20 of 


Directive on Privacy Practices and section IV of Appendix "C" of Directive on Privacy Impact Assessment ) 
Also see "Guidance for Preparing Information-Sharing agreements Involving Personal Information" and 
"Taking Privacy into Account Before making Contracting Decisions 


YES 


10.1 Please check all applicable boxes below and, for each disclosure, identify the name of the 
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organization or third party to which personal information will be disclosed. If it is disclosed 
within the CBSA, please identify the branch and the program or activity. 


10.1.1 [x] Within the CBSA for another program or activity 


sector (e.g., contractor or other external service provider) 


10.2 [X] AND, ensure that: 


a) any such disclosure is made in compliance with section 8 of the Privacy Act, which allows 
disclosures of personal information with consent of the individual to whom the information 


relates (subsection 8(1)) or without consent in certain and limited circumstances pursuant 
to subsection 8(2) of the Act; 


b) only personal information elements that are necessary for the intended purpose are 
disclosed; 


c) theorganization or third party receiving the personal information is authorized to do so; 


d) administrative, physical and technical safeguards appropriate to the sensitivity of the 
information will be applied to protect the information during and after its transmission (see 
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Question 15); 


e) the organization or third party to which the personal information will be disclosed for the 
administration of the program or activity are identified in the "Consistent Use" section in 
the relevant PIB in CBSA Info Source, including the specific purpose of the disclosure; 


the "Privacy Notice" or "Consent Statement" describes any disclosures of information; (For 
a copy of the CBSA Privacy Notice and Consent Statement template, contact the ATI and 
Privacy Division) and, __ 
f) the “Data Flow Diagram” or “Data Flow Tables” completed in "Section 4 — Flow of Personal 
Information" of the CBSA PIA include details on the disclosed personal information: (See 
“Section IV of Appendix "C" of Directive on Privacy Impact Assessment for a list of elements 
that must be included in the data flow diagram or data flow tables.) 


10.3 AND, any disclosure of personal information to another federal institution or outside the 
Government of Canada is governed by a formal agreement or arrangement (e.g., a 
Memorandum of Understanding, an accord, a contractual arrangement, etc.) to ensure that 
appropriate privacy protection clauses are included, and, where applicable, include provisions 
for inter-jurisdictional or transborder flows of personal information. Such clauses must cover 
the following topics: 


a) Control over personal information, where appropriate. 
b) Limitations on the collection, retention, use and disclosure of personal information. 


c) Measures (administrative, technical and physical) to protect the integrity and 
confidentiality of personal information. 


d) Measures governing the disposition of the personal information, where relevant 


e) Measures to ensure or verify that the personal information is only used for the purposes 
related to the agreement, arrangement or contract. 


f) Obligations are to be extended to other parties such as subcontractors. 
— Continue to Question 11 


NO 


10.4 C] There is no disclosure of personal information within or outside the institution for purposes 
that are directly related to the administration of the program or activity. 


-2 Continue to Question 11 


Will controls and procedures be implemented to account for any new use or disclosure of the personal 
information that is not included in the relevant PIB published in CBSA Info Source? 


Statutory reference: Sections 7 to 11 of Privacy Act and section 4 of Privacy Regulations 


Policy reference: Sections 6.1.9 and 6.2.2 of Directive on Privacy Practices 
YES 


11.1 D Appropriate controls and procedures have been or will be implemented to ensure that: 
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a) the head of the institution (The ATI and Privacy Director) or the appropriate delegate is 
notified about any new use or disclosure of personal information that is not reflected in the 
PIB description published in CBSA Info Source; 


b) the consent of the individual to whom the information relates is obtained in writing, as 
appropriate, prior to any new use of the information for an administrative purpose that is 
not reflected in the relevant PIB published in CBSA Info Source, unless the new use is 
considered to be consistent with the purpose for which the personal information was 
obtained or compiled and the Privacy Commissioner is notified, by the CBSA ATI and Privacy 
Director, forthwith regarding the new consistent use; 


C) except as permitted under subsection 8(2) of the Privacy Act, any disclosure of personal 
information for a purpose that is not reflected in the relevant PIB published in CBSA Info 
Source will only be made with the consent of the individual to whom the information 
relates; 


d) a record is kept for any new use or disclosure of personal information not described in the 
relevant PIB published in CBSA Info Source, and that this record is stored with the personal 
information to which it relates and retained for a minimum period of two years following 
Such a use or disclosure; (The record of use or disclosure should include the name and title 
of the person authorizing the use or disclosure; the name of the institution, person, 
organization or body receiving the information; a description of the use or purpose of 
disclosure; a copy of the information disclosed, or a description in sufficient detail to allow a 
determination of exactly what information was used or disclosed. ] 


e) ifthe information is disclosed to a federal Investigative body under paragraph 8(2)(e) of the 
Privacy Act, the record of disclosure will be kept in a separate PIB for a period of two years 
where it will be available to the Privacy Commissioner for review upon request; (e.g., 
Standard PIB "Disclosure to Investigative Bodies" PSE 913) 


f) the Privacy Commissioner is notified, by the CBSA ATI and Privacy Director, forthwith, as 
required under subsection 9(4) of the Act, of any new use or disclosure that is consistent 
with the purpose for which the information was obtained or complied, but which is not 
reflected in the relevant PIB published in CBSA Info Source; 


g) the relevant PIB is amended in time for the next edition of CBSA Info Source to include any 
new use(s) or disclosure(s) that are consistent with the purpose for which the information 
was obtained or compiled, as well as any routine use(s) or disclosure(s) that do not fall 
Within the categories of purpose of collection or Consistent use (e.g., these would include 
disclosures of the information under subsection 8(2) of the Act that take place on a regular 
basis. By including these routine uses or disclosures in the PIB, the CBSA would be relieved 
from the obligation to record each use or disclosure on the individual's file); and 


h) the Privacy Commissioner is notified, by the ATI and Privacy Director, prior to or forthwith, 
as required under subsection 8(5) of the Act, about any disclosures made or to be made in 
the public interest or in the interest of the individual to whom the information relates. - 


i) Other 
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— Continue to Question 12 


NO 
11.2 LI Please explain why such controls and procedures will not be implemented 


Has a Statement of Sensitivity (SoS) or similar analysis been completed to assess the degree of 
sensitivity of the personal information to be collected and retained for the program or activity? ( Input 
to this section should be coordinated with and reviewed by the CBSA — IT - Security Directorate) 


Statutory reference: Sections 7 and 8 of Privacy Act. 


Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 of 
Directive on Privacy Practices, Policy on Government Security, Operational Security Standard: 


Management of Information Technology Security (MITS) 


YES 


12.1[X] The information contained in the SoS or similar analysis has been taken into account when 
assessing the level of risks to privacy in "Section 2 - Risk Area Identification and Categorization" 
of the CBSA PIA. j 


An SoS has been completed for GEC (Schedule R), the Trusted Traveller Programs (Schedule V), 
Passage — NEXUS Air Pilot Project (Schedule W), NEXUS Highway Passage (Schedule DD), NEXUS 
Highway Application SoS (Schedule EE), NEXUS Airport Kiosk — Passage (Schedule RR) and 
CATSA (Schedule VV). No significant risks were identified in the above mentioned SOS 
processes. Minor risks have or will be addressed through Standard Operating Procedures 
changes or technology advancements. 


— Continue to Question 13 


**A SoS is not necessarily required as an Annex to this PIA. CBSA's IT Security Directorate must approve 
of the SoS being attached as an Annex, which also includes the review and approval of any SoS 
excerpts. ** | 


NO 
12.2 C] Please explain why a SoS or similar analysis was not considered necessary to assess the 
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Has a Threat and Risk Assessment (TRA) or a similar security assessment been completed for the 
Program or activity? (Input to this section must be coordinated with and reviewed by CBSA — IT - Security 
Directorate) 


Statutory reference: Sections 7 and 8 of Privacy Act. 


Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 of 
Directive on Privacy Practices, Policy on Government Security, Operational Security Standard: 
Management of Information Technology Security (MITS) 


YES 


13.1 Reference the title of the TRA or other security assessment in "Section 7 — Supplementary 
Documents List" and provide a brief synopsis of the assessment in the space below: 


**Providing a summary of the TRA or annexing the TRA, or excerpts thereof, must not be done 
without the approval of IT Security. - 


13.2 [_] AND, obtain assurances from the officials responsible for the program or activity that the 
measures recommended in the assessment have been implemented to ensure the 
confidentiality, availability and integrity of the personal information. | 

13.3[ ] AND, ensure that any residual risks to personal information are known and accepted by the 
executive or senior official responsible for the program or activity and the Head or delegated 
authority for the Privacy Act. (ATI and Privacy Director) 


— Continue to Question 14 
NO 


13.4| | if a TRA or similar security assessment is underway, simply reference that fact in the space 
below and indicate when it is likely to be completed. If there is no intent to complete one, 
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— Continue to Question 14 


Please identify below any administrative, physical and technical safeguards in place, or to be 
implemented, for this program or activity to ensure the confidentiality, availability and integrity of the 
personal information. (Safeguards must be commensurate with the sensitivity of the information, the 
risks identified, and the nature of the media in which the information is stored, handled and transmitted. 
This section must be completed with input from CBSA — IT - Security Directorate) 


Statutory reference: Sections 7 and 8 of Privacy Act 


Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 of 
Directive on Privacy Practices, Policy on Government Security, Operational Security Standard: 
Management of Information Technology Security MITS) 


Please also see Annex H - Controls and Procedures Implemented to Limit Access to Personal 
Information 


Please check all that apply, including safeguards identified by the TRA or similar security 
assessment. 


14.1 Administrative safeguards 
Internal security and privacy policies and procedures 
Staff training on privacy and the protection of personal information 
[X] Screening and security checks of employees 
Appropriate security levels for em ployees who will have access to personal information 


L] Contingency plans and documented procedures in place to identify and respond to security 
and privacy breaches, and to communicate security violations to the data subject, law 
enforcement authorities and relevant program managers 


[ ] Regular monitoring of users' security practices 


[ ] Methods to ensure that only authorized personnel who need to know have access to 
personal information | 


[C] Other 


TEM 


14.2 Physical safeguards 
Restricted access areas 
Security guards 
Identification badges are worn by staff at all times 
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[ ] After hours alarms and monitoring systems 
[X] Locked filing cabinets 
[] Combination locks 


[_] Safes 


[ ] Cipher locks 

C] Key cards | 

[ ] Video surveillance (closed-circuit television) 
Secured server locations 

[ ] Backups secured off-site 


Other 


14.3 Technical safeguards 
[ ] Role-based user authorization and authentication 
| ] Biometrics 
Passwords (minimum of 6 characters long, include alpha and numeric characters) 


[.] Passwords are changed by users every 90 days and recently used passwords cannot be re- 
used) 


[ ] Password protected screensavers 


Session-time out security (automatically locks an account after a session has been idle for a 
specified amount of time) 


Firewalls 

L] Intrusion Detection System (IDS) 

[ ] Virtual Private Network (VPN) 

[X] Encryption of sensitive information 

LI Government of Canada Public Key Infrastructure Certificates (PKI) 
C] External Certificate Authority (CA) 

[X] Audit trails 


[ ] Other 
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**Ensure to provide the "controls and procedures" as an annex to this PIA** 


Will the information system(s) used to deliver the program or activity employ cookies or other tracking 
technologies to collect personal information about users and their transactions? (Input to this section 
should be coordinated with and reviewed by the CBSA — IT - Security Directorate) 


Statutory reference: Sections 4 to 10 of the Privacy Act and section 4 of Privacy Regulations 


Policy reference: Subsections 6.1.1, 6.1.3, 6.1.9, 6.2.9 to 6.2.13, 6.2.17 and 6.2.23 of Directive on Privacy 
Practices 


YES 


15.1[X] The specific tracking technologies to be used is adequately described under Part 6: Technology 
and Privacy of "Section 2 — Risk Area Identification and Categorization" of the CBSA PIA; (For 
example, the use of an audit trail that records information, such as user logon ID, date and time 
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of logon, logout, user location, terminal identity, name and ID of client records accessed, 
including edits or changes made during each user session, etc. The information is used to verify 
that only authorized users access personal information and to ensure that access can be linked 
to specific individuals to support the investigation of suspected or alleged misuse. The 
information is retained for a period of two years.) 


15.2 AND, the collection of any personal information using such technologies is reflected in the 
relevant PIB and in "Section 3 — Analysis of Personal Information Elements" of the CBSA PIA; 


15.3 AND, the use of such technologies to collect information about users and their transactions is 
adequately reflected in the "Privacy Notice"; | 


15.4 Dx] AND, those responsible for implementing and using tracking technologies to collect personal 
information or who may have access to personal information collected through these methods 
are made aware of privacy and security policy requirements; 


15.5 [x] AND, where personal information collected through such tracking technologies is used to make 
a decision that directly affects the individual to whom the information relates, it will be 
retained for a minimum of two years after the last administrative action as required under the 
Privacy Regulations. 


— Continue to Question 16 
NO 
15.6[ ] Tracking technologies are not used to collect personal information about users. 


—> Continue to Question 16 


Will the new or modified program or activity result in new or increased surveillance or monitoring of a 
targeted population? (Input to this section should be coordinated with and reviewed by the CBSA — IT - 
Security Directorate) 


À 


Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of the 
Charter of Rights and Freedoms 


Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices 


YES 


16.1 [] Consult with your legal advisors to determine whether or not such surveillance or monitoring 
activities raise any issues relating to the Charter of Rights and Freedoms, the Privacy Act or 
other applicable acts. 


16.2 And, ensure the surveillance or monitoring method(s) to be used, the characteristic(s) of the 
targeted population and the scope of the surveillance or monitoring are adequately described 
under Part 6: Technology and Privacy of "Section 2 — Risk Area Identification and 
Categorization" of the CBSA PIA. 3 


16.3 AND, any personal information collected or created as a result of such surveillance or 
monitoring is described in the relevant PIB and in Section 3 — Analysis of Personal Information 
Elements" of the CBSA PIA. | 

16.4 AND, the collection or use of personal information through surveillance or monitoring is 
adequately reflected in the "Privacy Notice", unless such notification might result in the 
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collection of inaccurate information or defeat the purpose or prejudice the use for which the 
personal information is collected. 


[ ] If notice about surveillance or monitoring will not be provided 


16.5 [x] AND, those responsible for implementing and using such surveillance or monitoring method(s) 


or who may have access to personal information collected or created through these methods 
are made aware of privacy and security policy requirements. 


—> Continue to Question 17 
NO 


16.6 L] The new or modified program or activity will not result in surveillance or monitoring. 
—> Continue to Question 17 


Does the program or activity involve compliance/regulatory investigation or law enforcement, 


surveillance or intelligence gathering that targets specific individuals against whom penalties, criminal 
charges or sanctions may be applicable? 


Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of 
the Charter of Rights and Freedoms 


Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices 
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YES 
17.1 [] Consult with your legal advisors to determine whether or not the compliance/regulatory 


investigation or law enforcement activities raise any issues relating to the Charter of Rights 
and Freedoms, the Privacy Act or other applicable acts. 


17.2 C] AND, identify the legislative authority and the specific regulatory or law enforcement purpose 
involved: | | 


17.3 L] AND, if the legislative authority differs from the legal authority for the program or activity, 
ensure it is adequately reflected in the response to Question 1 of "Section 5 — Privacy 
Compliance Analysis" and in "Section 1 — Overview and PIA Initiation “of the CBSA PIA. 


17.4 [] AND, any personal information collected or created as a result of such regulatory or criminal 
enforcement, surveillance or intelligence gathering program or activity is described in the 
relevant PIB and in “Section 3 ~ Analysis of Personal Information Elements" of the CBSA PIA. 


17.5 C] AND, the collection or use of personal information through these compliance / regulatory 
investigation or enforcement activities is adequately reflected in the "Privacy Notice", unless 
such notification might result in the collection of inaccurate information or defeat the purpose, 
or prejudice the use, for which the personal information is collected. 


C] If notice about the compliance/regulatory investigation or law enforcement activities will 
not be provided. 


IAE 


NO 


17.6 [X] The program or activity does not involve the conduct of regulatory or criminal enforcement, 
surveillance or intelligence gathering. 


SECTION 6 - Summary of Analysis and Recommendations 


The ATI and Privacy Division will document the recommendations resulting from the risk identification 
and categorization, as well as in a manner that is commensurate with the risk identified. The risks and 
recommendations will be incorporated into the action plan as described in Annex B: Office of the Privacy 
Commissioner Expectations (2011) | 


Document the conclusion drawn or recommendations resulting from the risk identification and 
categorization in a manner that is commensurate with the risk identified. 


ACCOUNTABILITY 


Risks and Mitigations Strategies 
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Risk #1: A client may have concerns about the collection, use, disclosure or retention of their personal 
information. 


Mitigation: The application process for NEXUS includes a clearly-designated requirement to provide 

. consent for the use of any personal information collected, and indicates how the personal information 
will be used. All applicants must sign the application form, or fill out a field in the online application 
system to indicate that they understand and consent to the use of their information. Applicants under 
the age of 18 are required to have their parent or guardian complete the application and give consent 
on their behalf. Persons who are incapacitated will similarly have their authorised representative give 
consent on their behalf. Services are provided in both official languages at all enrolment facilities and 
information translation services for other major languages are also available at some ECs. All NEXUS 
applicants are subject to a face-to-face interview with a BSO. This interview provides an opportunity for 
the officer to evaluate the capacity of the individual to give consent to the collection of their personal 
information. If they are unable to provide consent it will be obtained from the power of attorney holder. 
Membership in the program is entirely voluntary, but consent to use personal information for program 
purposes is mandatory for membership. Applicants who refuse to provide consent to the use of their 
personal information will not be admitted into the program. Their application will not be processed, and 
no personal information will be retained. 


If a client has a concern about the collection, use, disclosure or retention of their personal information, 
they may issue a complaint to the CBSA ATIP Division. They will be asked to include a brief description of 
the concern. | 


If a client is denied membership in the NEXUS program or are cancelled or suspended from the program 
by the CBSA, he/she may write to the Recourse Directorate at Headquarters or on-line within 90 days of 
the date shown on the NEXUS denial/cancelled/suspended letter, to request a review of the decision. 


Recommendation: No further recommendations have been made 


IDENTIFYING PURPOSES 


Risks and Mitigations Strategies 


Risk #2: A description of the NEXUS program and why each piece of information is collected may not be 
clear to the client. 


Mitigation: NEXUS allows for customs and immigration border clearance processes to be streamlined for 
pre-approved, low-risk travellers, thus permitting the CBSA’s resources to be allocated more effectively 
at the border. Membership is five years and provides expedited border clearance into Canada and the 
U.S. in the land, air and marine travel modes. NEXUS members use dedicated lanes in the highway 
mode; self-serve kiosks in the air mode; and, by reporting through TRC’s in the marine mode. A full 
description of the NEXUS program is available at WWW.NEXUS.gc.ca. 


To become a member of the NEXUS program, an applicant voluntarily submits an application using 
either a paper form sent to the CBSA or by applying electronically using the GOES maintained by the U.S. 
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member through a risk assessment. 


The following personal information elements are managed by the NEXUS program and used to 
. determine eligibility and continued eligibility in the program: 


full name 

contact information 

signature 

biographical information 

biometric information (for air travel only) 

citizenship status 

criminal checks/history 

date of birth 

credit card information (if not paying by certified cheque or money order); and 
identification numbers such as those contained on the birth certificate, driver's license or 
passport. 


The NEXUS program is authorized under subsection 11.1(1) of the Customs Act and is also governed by 


the Presentation of Persons (2003) Regulations. 
The NEXUS application form identifies the purpose for the collection and on-line notices of use. The 
form can be seen at the following link: http://www.cbsa-asfc.gc.ca/prog/nexus/application-demande- 
eng.html | 
The new NEXUS PIB is available at Schedule B. 

Recommendation: No further recommendations have been made 
CONSENT 


Risks and Mitigations Strategies 


Risk #3: Consent to use an individual's personal information might not be properly obtained from an 
individual. The collection and use of personal information generally requires the consent of the 


might not be obtained, either through a deficiency in the collection process, or because the individual 
was not able to give consent due to language barriers, age, incapacity, etc. 


Mitigation: The personal information voluntarily provided by the applicant is used by the CBSA and CBP 


to confirm their identity and to determine the eligibility of an applicant and the continued eligibility of a 
member through a risk assessment. 
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The application process for NEXUS includes a clearly-designated requirement to provide consent for the 
use of any personal information collected, and indicates how the personal information will be used. All 
applicants must sign the application form, or fill out a field in the online application system to indicate 
that they understand and consent to the use of their information. Applicants under the age of 18 are 
required to have their parent or guardian complete the application and give consent on their behalf. 
Persons who are incapacitated will similarly have their authorised representative give consent on their 
behalf. Services are provided in both official languages at all enrolment facilities and information 
translation services for other major languages are also available at some ECs. All NEXUS applicants are 
subject to a face-to-face interview with a BSO. This interview provides an opportunity for the officer to 
evaluate the capacity of the individual to give consent to the collection of their personal information. If 
they are unable to provide consent it will be obtained from the power of attorney holder. Membership 
in the program is entirely voluntary, but consent to use personal information for program purposes is 
mandatory for membership. Applicants who refuse to provide consent to the use of their personal 
information will not be admitted into the program. Their application will not be processed, and no 
personal information will be retained. 


Canada’s revised Privacy & Consent Statement is as follows: 


The information you provide in your application, including supporting 
documentation and biometric data, is collected by the Canada Border Services 
Agency (CBSA) and is protected pursuant to both the Customs Act and the Privacy 
Act. In accordance with Canadian laws and regulations, this information will be 
shared with other government departments or agencies in Canada and the United 
States of America for the purpose of the operation of the NEXUS program and to 
conduct applicable checks and verifications to determine your eligibility and 
continued eligibility in the NEXUS program. If the required information is not 
provided, your application may not be processed and the authorization may not 
be granted. 


Individuals to whom the information relates have rights of access to, correction of 
and protection of, their personal information under the Privacy Act. The 
information collected is described in Personal Information Bank it CBSA PPU 031. 
Instructions for obtaining information are provided in Info Source, which is 
available at public libraries, government public reading rooms and on the Internet. 
at: http://infosource.gc.ca 


Consent Statement 

| understand that any information gathered for the purposes of this application, including any 
supporting documentation, background information, biometric data and information obtained 
from the relevant files of law enforcement agencies, including intelligence gathered for law 
enforcement purposes, will be used for the purpose of the operation of the NEXUS program 
and to conduct applicable checks and verifications to determine eligibility and continued 
eligibility in the NEXUS program as described in the Presentation of Persons (2003) 
Regulations. My contact information may also be used by the CBSA to send me notifications 
related to changes to the NEXUS program. | 
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In addition, | understand that my personal information gathered for the purposes of this 
application, including my Supporting documentation, background information, biometric data, 
and any other information obtained and collected for the purpose of the operation of the 
NEXUS program and to conduct applicable checks and verifications to determine my eligibility 
and continued eligibility in the NEXUS program, may be accessed and used by the CBSA, as well 
as by other government departments or agencies in Canada (including the Royal Canadian 
Mounted Police and the Canadian Security Intelligence Service), in accordance with the Privacy 
Act. | 


In addition to the above-noted use by the CBSA and other Canadian government departments 
and agencies, | also understand that the CBSA will share its determination of my eligibility to 
the NEXUS program, based on Canadian criteria, with the United States Department of 
Homeland Security (DHS). The DHS will, in turn, disclose to the CBSA its determination of my 
eligibility based on the American criteria. | 


If you do not consent to the above-noted collection, use and sharing of your personal 
information, your application cannot be processed and an authorization cannot be granted. 


Do you consent to the above-noted collection, use and sharing of your personal information 
AND do you certify that all the information given on this application, and in support of this 
application, is provided voluntarily and is true, accurate and complete and that you have read, 
understood, and agree to abide by all conditions applicable to the program to which you apply 
and to the use of the associated authorization, including all instructions and notices 
accompanying this application? o Yes o No 


Recommendation: No further recommendations have been made 
LIMITING COLLECTION 
Risks and Mitigations Strategies 


Risk #4: There is a small risk that the CBSA may ask for more personal information than is necessary 
when a client applies to the NEXUS program. 


Mitigation: The following chart describes the data elements that are collected from the NEXUS client's 
application form and the reason(s) for their collection: 


__| Element  J 


First name/middle name/ last 
RE name/nickname/other names 
[Gender — |Male/Female 
Date of Birth Month/Day/Year/ Birth certificate To identify clients 
Birth certificate number Birth certificate number and To provide proof of citizenship and 
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To identify clients 


CBSA - Released under the Access to Information Act : 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 
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Place of Birth | City/Province or State/Country To identify the individual and 
eligibility in the program 

To provide proof of identity and 
citizenship status | 


Citizenship Status Citizenship in Canada or the U.S.; 
Citizenship and/or nationality of 
third country that has an 
arrangement with the NEXUS 
program 
Citizenship Document / 
Naturalization Certificate number 
and document / Visa/Permit / 
Permanent resident document 
Passport number / Travel document 
number / Photocopy of document 


Citizenship Document / 
Naturalization Certificate number 
and document / Visa/Permit / 
Permanent resident document 
Passport or Travel document 
number (and photocopy of 
document) 
Driver's License and number 


To provide proof of identity and 
Citizenship status 


To provide proof of identity, 
citizenship, and to determine 
eligibility in the program 
Driver's License and number To provide proof of identity and to 
determine eligibility in the program 
To contact clients and to assist in 
performing checks in determining 
eligibility in the program 


Street name/street number/city/ 
province or state/postal 
code/country/ telephone 
number/business phone number/e- 
mail address/ From date/To date 
Employer name/street address/ 
city/province or state/postal 
code/country/phone number/ type 
of occupation/ From Date / To Date 
Iris scan / Photograph 


Home address / Previous address 


Work History 


Iris scan / Photograph 


To assist in performing checks in 
determining eligibility in the 
program 


To identify clients upon entry into 
Canada as being a trusted member 
of the program 
Credit card information To collect payment for inclusion in 
the program 
Collected along with the credit card 
info for payment purposes; to 
record certification that application 


Signature Signature 
info provided is true and accurate 


Criminal checks/history Criminal history information To determine eligibility in the 
program | | 
Immigration checks/history Immigration history information To determine eligibility in the 
program 


Trilateral Trusted Traveller Yes/No To determine eligibility 
Arrangement — confirmation that an 
applicant is a member of their own 
trusted traveller program (done 
thru GOES by U.S. CBP) 
Trilateral Trusted Traveller 
Arrangement — Visa number / 
photocopy of visa 


Credit card information 


Visa number / photocopy of visa / 
electronic travel authority 


To provide proof of identity and 
citizenship and to determine 
eligibility in the program 


Recommendation: No further recommendations have been made 
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LIMITING USE, DISCLOSURE AND RETENTION 
eee tee FI VIN 


Risks and Mitigations Strategies 


Risk #5: Personal information could inadvertently be used for purposes other than those for which 
consent was given by the individual to whom it pertains. The program collects personal information for 
use in determining the application, including risk assessment and admissibility, and in maintaining the 
membership over its term, including enforcement and program integrity activities. There is a minimal 
risk that the personal information could be used by accident for another purpose. 


Mitigation: CBSA adheres to strict controls over how personal information can be used after it is 
collected. CBSA will ensure that any use of the information beyond the uses for which it was collected, 
for example, for law-enforcement or national defence purposes, are in accordance with the appropriate 
legislation (e.g. section 107 of the Customs Act). At this time, the CBSA does not disclose any NEXUS 
membership information to third party providers and no changes to this policy are anticipated in the 
future. 


The paper-based NEXUS application form also specifically notes that personal information may be 
shared with other government departments in accordance with the Privacy Act (Schedule C). The 
electronic version on GOES was also updated on October 18, 2016, to reflect this wording. 


Recommendation: No further recommendations have been made 


Risk #6: Customs information might be misused for a purpose other than that for which it was collected. 
However, the risk of this occurring has been assessed as minimal. Therefore, there is minor concern that 
customs information that is disclosed under the provisions of section 107 of the Customs Act for a 
particular purpose may be used by the recipient for other, unauthorized purposes. 


Mitigation: Use of information has tight controls. Only the absolute minimum required amount of 
customs information (for which requestor can demonstrate need) is collected. The information will only 
be provided for the purposes for which the legal entitlement exists. CBSA personnel are informed of 
their responsibility to protect personal information. All personnel who collect or handle personal 
information are screened to the appropriate level. 


Recommendation: No further recommendations have been made 


Risk #7: Personal information might be improperly disclosed to a third party. Therefore, there is a minor 
risk that personal information regarding program members might be disclosed to a party who is not 
authorised to use the information, and who might use it for purposes for which consent has not been 
obtained is considered minimal. 


Mitigation: Processes are in place to ensure that personal information is not inadvertently released to 
third parties who are not authorized to use the information. Information security measures are in place 
in accordance with Treasury Board policy, to protect information Storage systems from unauthorized 
access. NEXUS program personnel understand their responsibility to ensure that information is not 
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shared with unauthorised third parties. The MOU with CBP regarding information sharing sets out limits 
how CBP may use the information share with it by CBP and who may use the information (Schedule A). 


Recommendation: No further recommendations have been made 
ACCURACY 
Risks and Mitigations Strategies 


Risk #8: Personal information collected about an individual might not be accurate. There is a minimal 
risk that this could occur; nevertheless, as this information could potentially impact an individual's 
access to services or admissibility to Canada, it is important that there be a process for individuals to 
obtain and review the personal information collected about them. 


Mitigation: NEXUS is subject to ATIP inquiries from individuals who wish to obtain access to their 
personal information in order to make corrections. Members can also contact the program directly, | 
through the EC and CPC offices to update their personal information and make any corrections. There 
are processes in place for officers in the field to request corrections to data if an error is detected that 
cannot be easily resolved. An automated log is also in place to track all changes to personal data in case 
of an accidental or erroneous change. Should there be a dispute about information collected concerning 
a member, for example an enforcement record that is impacting their membership to the program, the 
member may appeal to the Recourse Directorate for adjudication of their claim. Clients are informed of 
their right to access their information via the privacy statement on the paper and on-line versions of the. 
NEXUS application. 


Recommendation: No further recommendations have been made 
Risk #9: Kiosk Replacement Project 
Information Technology Risk 


The NEXUS kiosks had been in operation since 2003 and were at the end of their life cycle that could 
have resulted in critical equipment failure and could have jeopardized the delivery of the NEXUS 
program. 


Mitigation 

The CBSA has replaced the previous trusted traveller kiosks with new modular, scalable, interoperable 
kiosks that operate using sound proven technology. The next generation of NEXUS kiosks are more 
secure from tampering or manipulation and more accurate when identifying members because the 
NEXUS membership card is used with iris biometrics to determine the identity of the traveller and to 
authenticate that they are a NEXUS member in good standing. Therefore, the risk of non-NEXUS 
members using the kiosk for entry would be virtually eliminated. 


A Threat and Risk Assessment and Statement of Sensitivity for NEXUS Airport Kiosk Passage was 
performed in 2007 (Schedule RR) but not for the replacement kiosks as far as the Trusted Traveller 
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Programs unit is aware. Nevertheless, as noted above, the upgrades to the kiosks virtually eliminates the 
risk of a non-NEXUS member using the kiosk for entry. 


Recommendation: No further recommendations have been made 


Risk #10: False Matches 
Information Technology Risk 


There was a remote risk that when an individual presented him/herself at a NEXUS kiosk, the system 
would falsely match the iris presented with the iris record on file of a different member. 


Mitigation 

A false match occurred when the old system used to support the NEXUS program matched the iris 
presented at the kiosk with the file of a different member than the one who presented the iris. This 
occurred with members wearing designer contact lenses or simply because two members have similar 
irises on file. 


Although incidents of false matches are extremely rare, now that the previous NEXUS kiosks have been 
replaced and a one-to-one match approach has been instituted, these situations are statistically non- 
existent. A one-to-one search utilizes a trigger, such as the presentation of a membership card, which 
then initiates the process so that the system knows that it must compare the iris captured against the 
iris on file of that specific member thus reducing the potential for any false matches. | 


Recommendation: No further recommendations have been made 


SAFEGUARDS 


Risks and Mitigations Strategies 


Risk #11: Personal information in transit might be intercepted by unauthorised parties. Therefore, 

program activities require that information be transmitted using information technology system 
safeguards to eliminate the interception of NEXUS membership information by an unauthorised party 
and used for an unauthorised purpose. 


Mitigation: The CBSA has developed a disclosure policy and guidelines to cover the use and 
safeguarding of membership information to eliminate the interception of NEXUS membership 
information by an unauthorised party and used for an unauthorised purpose. CBSA information 
technology systems are maintained to a high standard with security a foremost priority. Security 
measures and protocols are in place to protect the confidentiality of electronic communications. These 
are subject to on-going review to ensure they continue to properly protect data. Program personnel - 
understand their responsibility to use only secure Information Technology systems to store and transmit 
personal information in accordance with Treasury Board policy. Communications with CBP are made 
using encrypted transmissions over a dedicated, secure data link. The information-sharing agreement 
with CBP set out how information may be transmitted. They also maintain high standards of information 
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technology and communications security and use only secured systems to handle personal information 
with other U.S. government agencies. 


It should be noted that an IT Security Consultation Report was prepared in 2015 that indicated that IPIL 
Highway Application was a high risk (Schedule T). It notes that one of the risk factors was the lack of 
failover capacity which has now been mitigated by the Data Centre Recovery Project. It also notes that 
the security risks of ICS are directly inherited in the security posture of IPIL Highway and will factor in 
when IPIL Highway will be re-assessed. 


Recommendation: No further recommendations have been made 
Risk #12: Traveller Declaration Cards 
Privacy Risk 


The online Traveller Declaration Card (TDC) requires members' names, credit card numbers and other 
personal information. There is an outside risk that the TDCs could inadvertently be lost or temporarily 
misplaced during transportation from the collection boxes to the CPC for storage or follow up 
administrative purposes. - 


Mitigation: When a NEXUS member completes and drops off their TDC in the collection box, steps are 
taken against documents being improperly handled from their removal from the collection boxes to 
their mailing to the CPC for storage and follow up administrative purposes. 


Storage and access to the TDC's require tight controls. CBSA personnel who handle the TDC's are 
informed of their responsibility to keep them safeguarded and are screened to the appropriate level. 
The standard operating procedures for handling TDCs include the following with regard to mailing 
Protected B documents: 


e  TDCs should be placed in two sealed envelopes for forwarding to the respective CPC located in 
Niagara Falls, ON, Montreal, OC, or Surrey, B.C. 

e The name of the port should also be identified on the inside envelope for statistical purposes. 

e The use of two gum-sealed envelopes for internal mailing should be followed as per security 
policy for Protected B information. 

e Asecurity marking should appear on the inner envelope only, while the address should appear 
on both envelopes. 

e The inner envelope should also be marked: "To be opened by addressee only". 


If officers who handle the TDC's have any questions regarding the handling and transporting of TDC's, 
they may address them to the CBSA's Help Desk at AIS.HelpDesk@cbsa-asfc.gc.ca. 


Recommendation: No further recommendations have been made 


Risk #13: No Threat and Risk Assessment has been completed for the RFID Processor which will allow 
the CBSA to read RFID-enabled documents including NEXUS cards. A TRA verifying the risks associated 
with reading RFID-enabled documents has not yet been completed. 
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Mitigation: To address this, the CBSA is in the process of completing a TRA. The completion date is not 
yet known, however, the process has been started. Should recommendations come out of the TRA, they 
will be addressed at that time. 


Risk #14: The installation of the RFID readers, including the construction of the required infrastructure, 
has begun. Given the lack of a TRA supporting the usage of RFID technology, the risk to personal 
information has not yet been assessed. 


Mitigation: To address this, the CBSA is in the process of completing a TRA. The completion date is not 
yet known, however, the process has been started. Should recommendations come out of the TRA, they 
Will be addressed at that time. 


Risk #15: No TRA has been completed for the NEXUS program verifying the risks associated with NEXUS. 


Mitigation: NEXUS is a voluntary program designed to expedite passage for low-risk travellers. To 
address the lack of a TRA, the CBSA is in the process of completing a TRA. The com pletion date is not yet 
known, however, the process has been started. Should recommendations come out of the TRA, they will 
be addressed at that time. 


OPENNESS 
Risks and Mitigations Strategies 


Risk #16: Individuals might not use the NEXUS program if they do not have confidence that their 
personal information will be safeguarded. This risk is considered low. There is a minimal risk that NEXUS 
could be perceived negatively if potential applicants are not satisfied with the measures taken to protect 
their information. The CBSA will ensure that this concern is addressed to the greatest extent possible. 


Mitigation: Individuals must understand where and how their information is collected and stored, as 
well as what measures are being taken to secure their information. The CBSA has endeavoured to 
address this concern by ensuring that the Canadian and U.S. Privacy Statements are included on both 
the paper and the on-line NEXUS application form. The privacy statements clearly explain how the 
information will be shared with other government agencies in Canada and the U.S. Pursuant to these 
measures, the risk of negative perceptions about proper safeguards for personal information is minimal. 
In addition, the CBSA has embedded a direct link to the Canadian and U.S. Privacy Statements on the 
homepage for NEXUS at www.nexus.gc.ca. 


Recommendation: No further recommendations have been made 


Risk 417: There is a risk that the Privacy Notice Statement and the Consent Statement provided to 
applicants are not as clear and thorough as they should be. 


Mitigation: The text has been amended in accordance with the CBSA's October 2012 letter to the OPC 
which recommended that "CBSA update their privacy notice to provide more information to applicants 
on the specific Canadian government organizations to which personal information may be disclosed and 
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the purposes for disclosure." The CBSA has revised the NEXUS application form to include the specific 
Canadian government organizations to which personal information may be disclosed and the purposes 
for disclosure. The Statement now reads as follows: 


Canada's Privacy Statement 

The information you provide in your application, including supporting 
documentation and biometric data, is collected by the Canada Border Services 
Agency (CBSA) and is protected pursuant to both the Customs Act and the Privacy 
Act. In accordance with Canadian laws and regulations, this information will be 
shared with other government departments or agencies in Canada and the United 
States of America for the purpose of the operation of the NEXUS program and to 
conduct applicable checks and verifications to determine your eligibility and 
continued eligibility in the NEXUS program. If the required information is not 
provided, your application may not be processed and the authorization may not 
be granted. 


Individuals to whom the information relates have rights of access to, correction of 

and protection of, their personal information under the Privacy Act. The 
information collected is described in Personal Information Bank # CBSA PPU 031. 

Instructions for obtaining information are provided in Info Source, which is 

available at public libraries, government public reading rooms and on the Internet 

at: http://infosource.gc.ca 


Consent Statement. 

| understand that any information gathered for the purposes of this application, including any 
supporting documentation, background information, biometric data and information obtained 
from the relevant files of law enforcement agencies, including intelligence gathered for law 
enforcement purposes, will be used for the purpose of the operation of the NEXUS program 
and to conduct applicable checks and verifications to determine eligibility and continued 
eligibility in the NEXUS program as described in the Presentation : of Persons (2003) 
Regulations. My contact information may also be used by the CBSA to send me notifications 
related to changes to the NEXUS program. 


In addition, | understand that my personal information gathered for the purposes of this 
application, including my supporting documentation, background information, biometric data, 
and any other information obtained and collected for the purpose of the operation of the 
NEXUS program and to conduct applicable checks and verifications to determine my eligibility 
and continued eligibility in the NEXUS program, may be accessed and used by the CBSA, as well 
as by other government departments or agencies in Canada (including the Royal Canadian 
Mounted Police and the Canadian Security Intelligence Service), in accordance with the Privacy 
Act. | | 


In addition to the above-noted use by the CBSA and other Canadian government departments 
and agencies, | also understand that the CBSA will share its determination of my eligibility to 
the NEXUS program, based on Canadian criteria, with the United States Department of 
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Homeland Security (DHS). The DHS will, in turn, disclose to the CBSA its determination of my 
eligibility based on the American criteria. 


If you do not consent to the above-noted collection, use and sharing of your personal 
information, your application cannot be processed and an authorization cannot be granted. 


Do you consent to the above-noted collection, use and sharing of your personal information 
AND do you certify that all the information given on this application, and in support of this 
application, is provided voluntarily and is true, accurate and complete, and that you have read, 
understood, and agree to abide by all conditions applicable to the program to which you apply 
and to the use of the associated authorization, including all instructions and notices 
accompanying this application? o Yes o No 


Recommendation: No further recommendations have been made 


Risk #18: There is a risk that the NEXUS Personal Information Bank (PIB) is not as clear and thorough as it 
should be. | | 


Mitigation: The text has been amended in accordance with the CBSA’s October 2012 letter to the OPC 
which stated that it would “...amend its Personal Information Bank to better reflect the information 
sharing activities". The draft revised PIB is included in Section 1 of this PIA. | 


Recommendation: No further recommendations have been made 


INDIVIDUAL ACCESS 


Risks and Mitigations Strategies 


Risk #19: Individuals may not be properly informed of their right to access information collected by the 
NEXUS program, or may be aware of their right but not be properly informed of the process. This risk is 
considered low because the Canadian Privacy Statement embedded in both the paper and the on-line 
versions of the NEXUS application inform prospective members that: | 
e The information they provide on the form, including supporting documentation and biometric 
data is collected by the CBSA and is protected pursuant to both the Customs Act and the Privacy 
Act; | 
e The information will be shared with other government departments or agencies in Canada and 
the United States of America for the purpose of the operation of the NEXUS program and to 
conduct applicable checks and verifications to determine their eligibility and continued eligibility 
in the program; 
e The information collected is described in PIB #CBSA PPU 031; 
e Instructions for obtaining information are provided in Info Source, which is available at public 
libraries, government public reading rooms and on the Internet at http://infosource.gc.ca. 
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There is no published national procedure requiring the program's employees to inform clients of their 
right to access information. The NEXUS program's SOPs do not mention Privacy considerations. 


Mitigation: A direct link to the Privacy Statements can now be found on the homepage for NEXUS 
(www.nexus.gc.ca) on the CBSA external website in order to improve access to this information. 


In addition, a revised PIB is included in Section 1 of this PIA. 
Recommendation: No further recommendations have been made 


Risk #20: Individuals will not have access to their personal information if that information is required. 
This risk is considered low. Individuals have the right to access their personal information upon request. 
There is a remote possibility that personal information collected by CBSA may not be available upon 
request due to some type of systems failure. 


Mitigation: Audit trails are built into all information technology systems, including log systems in the 
passage facilitation technology, and logs of all activities which affect the personal information saved to 
an individual's record. All systems are backed up and personal information retained in accordance with 
CBSA policies. | | | 


Clients may also access and correct their personal information by attending in person at an EC or 
electronically through GOES. 


Recommendation: No further recommendations have been made 


CHALLENGING COMPLIANCE 


Risks and Mitigations Strategies 


Risk #21: There is an outside risk that an individual might challenge the CBSA to demonstrate how it 
complies with its responsibilities under Privacy legislation. It is possible that an individual may submit a 
claim that the CBSA has not taken sufficient measures to satisfy their privacy obligations. The Agency 
would develop communications material to explain how it adheres to the legislation and regulations 
(e.g. subsections 107 (4) (5) (6) (8) and (9) of the Customs Act). The CBSA's Policy on the Disclosure of 
Personal Information has been made available to the general public as evidence to attest to the fact that 


appropriate privacy protection processes are being fully implemented (see Schedule K). 
Mitigation: Any related challenges will be processed by the ATIP Division, who is responsible for 
ensuring that the public understand how the Agency complies with the provisions of the Access to 
Information Act, the Privacy Act, and fulfills its responsibilities under the Customs Act. 


Recommendation: No further recommendations have been made 
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Summary of Identified Risks (exam le): 


1 - Accountability 2-3 Activity Partners 

| 2 — Identifying 2-1 Type of Program or Activity; 5-9.4 
mu LR 
3 - Consent 5-5.2 and 5-5.3 Indirect Collection with 
uite RO a 


4 - Limiting 2-2 Type of Personal Information and 
Collection 


Context; 3 Analysis of Personal 
5 - Limiting Use, 


Number 


2-3 Activity Partners RE 
-3 Activity Partners Bee ee eed 


2 | 
7 6 — Summary of Analysis and 
Recommendations 
6 — Summary of Analysis and | 
72s |) 
6 — Summary of Analysis and 
EN NN 
10 6 — Summary of Analysis and 
Recommendations 


7 - Safeguards 2-7 Personal Information Transmission = 


Information Analysis; 5-3.6 Authority 
for Collection of Social Insurance 

Disclosure and 

Retention 


6 - Accuracy 


[5i2and&igs | 
. 14 Safeguards — Administrative, 
INFO uM 
13 6 - Summary of Analysis and 
Recommendations 
14 6 — Summary of Analysis and 
Recommendations 
15 6 — Summary of Analysis and 
Recommendations 
8 - Openness 16 6 — Summary of Analysis and 
Recommendations 
17 6 - Summary of Analysis and 
HF NN | 
18 6 — Summary of Analysis and 
Recommendations 
19 6 — Summary of Analysis and 
Recommendations 
20 6 — Summary of Analysis and 
[meme | 
10 - Challenging 21 6 ~ Summary of Analysis and 
Compliance Recommendations 


9 — Individual 
Access 


Canada Border Services Agency 


NEXUS Program | | | PIA 
| SECTION 7 - SUPPLEMENTARY DOCUMENTS LIST 


List all supplementary documents that support the conclusions of this CBSA PIA. For each document, cite 


the specific sections of the documents (subject, chapter, page, paragraph, etc.) that correspond with the 
CBSA PIA and link them to the PIA sections. | 


|Document —— Document Reference PIA Reference 


MOU for the Disclosure of - PartsD&E Introduction Part 2 


Information for the Purposes of the 10.1.4 
Joint Alternative Section 6, Risk #7 
Presentation and Inspection Programs Annexes D & H 
between CBSA and CBP | | 
NEXUS Personal Information Bank Introduction 
Section 6, Risks #2, 15 & 16 
NEXUS Application Form Sections A, B, C F & G Introduction #2 & Part 1 
| S.4 - Notice 
s.5, 5.3 


5.6, Risk #’s 2, 5, 13 & 14 


All sections S.4 — Explanation of the Process 
& Notice | 
$.5, 5.1 
| Risk #’s 8, 13, 14 &16 
Annex H, #1 


Sections A, B, C E& F s.4 — Credit card info & Notice 
Risk 412 


 Admissibility Complaint Policy of the 

RSR | 
NEXUS Privacy & Consent Portions of Introduction, Part 4 
Policy on the Disclosure of Customs Pages 7 & 12 s.5, Parts 9.4 & 11.1 
Trusted Traveller Programs Part 4, CBSA Revocation of 

. | Policy on the Retention of Payment 5.4 — Credit card info & part 7.3 

Policy on the Disclosure of Personal Pages 5,7 & 21 s.6 — Risk #18 | 

-GEC-GES interface Specifications "| Pages — [wi — — — —  — 
Print Screens Global Enrolment NEXUS| All sections | 
Data Matching — On-Line NEXUS Sections 1, 3 & 4 Definitions 
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Interconnection Security . | 
Understanding 

Business Use Cases 

TRA and SoS for Global Enrolment 
Component 

Integrated Customs System — Use Case 


NEXUS IT Security Consultation Report 
GEC Restructuring | 
TRA and SoS for Trusted Traveller 
Programs 
TRA and SoS for Passage ~ NEXUS Air 
Pilot Project 
NEXUS Highway Technology Design 
Document 
NEXUS Air Pilot Project Charter 
NEXUS Marine Project Charter 
TRA and SoS for NEXUS Highway 
TRA and SoS for NEXUS Highway 
Passage (2003) | 
SLA Between ISTB and Programs 
Branch for NEXUS Highway 
TRA and SoS for NEXUS Highway 
Passage (2005) 
NEXUS Highway Application SoS 

. NEXUS Highway Passage TRA 
Peace Bridge NEXUS eGate SOPs 
Peace Bridge NEXUS eGate Mock-up 


g 
- 
£D 
5 
ga 


eGate Network Diagram 

NEXUS eGate Business Requirements 
for Proof of Concept 

E-Gate Interim Report 

Policy on the Overt Use of Audio-Video 
Monitoring and Recording Technology 


NEXUS eGate Process Flow 

MoU Between the CBSA, U.S. CBP and 
Mexico’s INM 

Operational Program Plan 
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Sections 1 & 2 Introduction, #4 


Sections 7 - 14 $.5-12.1& 13.1 


Sections 1, 3& 4 Executive Summary 
s.1 

s.4, 81 

s.6, Risk #2 


Pages 4, 5,6 | $.5, 12.1 & 13.1 


Pages 3-7 s. 5, 12.1 &13.1 | 


Pages 3, 4, 5, 24, 25 & 26 


[Page —n — — [NI —— | 
Pases —  —  — [wl ^ | 
Pages 3 — 6, 27 [s5121&131 ^. 


Pages 3 — 7,26 s.5, 12.1 & 13.1 


Pages4-7,12 — 


s.5, 12.1 & 13.1 

Sections 2 & 3 | [$5,121 ^ ^ ^ | 
Sections 2,3,586  ' js5121&131 1 
Pages 1-2 Introduction, #3 


Full diagram | Introduction, #3 


Full diagram 
Introduction, #3 


Sections 1 — 4, 12 


Sections 1, 3, 4 & 6 
Introduction, #3 


Pages 3 — 7, 11, 13, 14 
s.1 


s.2, 6.3.2 
s.5, 16.4 | 


Pages 2-3 Introduction, #2 
ee — NN 
Sections 2, 3, 5, 6, 11, 12, Annex Introduction, #2 
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Business Use Case ~ TTP — Entry into | Sections 1 & 2 

TTP Kiosk — Technology Architecture | Sections 2, 6 & 7 Introduction, #4 

TRA and SoS for NEXUS Airport Kiosk —| Pages 4, 8, 13, 34 & 35 $.5, 12.1 & 13.1 
M 
| Service Level Objective (SLO) forthe | Page4 © | | 

MoU Between the CBSA and CATSA | Sections 1,3,4,5&6 | Introduction, #1 
Trusted Traveller CATSA Line Full diagram | Introduction, #1 & Parts 1, 2&3 
Automated Gate Solution | 


s.2, 6.3.1 
CATSA Statement of Sensitivity Sections 2, 3, 4& 8 s.5, 12.1 | | 


s.4, #6 
CATSA Service Level Agreement Sections 2 & 4 Introduction, #1 
s.4, #6 
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SECTION 8 - FORMAL APPROVAL 


The following signature represents a The following signature represents a 


commitment to comply with sections 4 to 8 of commitment by the Head of the institution or 
the Privacy Act and the related privacy policy his/her delegate(s) who is responsible for 
requirements outlined in the CBSA PIA as they establishing personal information banks in 
relajetp the administration of the identified accordance with section 10 of the Privacy Act. 


= 


—— 
Signature of CBSA ATI and Privacy Director 


A Vic President lead for 
program or activity 


dort- OF - 2d | eo -/2-/7 


Date Date 


Note: Responsibility for sections 4 to 8 of the Note: Under the Privacy Act, the Head or his/her 
Privacy Act rests with all employees of government delegate(s) is responsible for complying with legal 


institutions that handle personal information. | and relevant privacy policy requirements related to 
Officials who manage such programs and activities the approval and registration of personal 
are responsible for ensuring that such information banks 


requirements are implemented as part of the 
administration of the program or activity. 
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Annex A: Privacy Compliance Checklist and Other Considerations 


Note: The table below must be used to keep an account of actions completed and to track outstanding actions required to achieve 
im ODRE 


1 
| RE C RN dr b aite PLM TNNT EON NM wi 
| 1 | Lega NUDO for the program or activity has bene esta tablished |^ S 
| andi is reflected in the relevant PIB. | 
2 a) The categories and elements of personal information to be | | | 


_ collected for the new program or activity have been carefully | 
| assessed based, for example, on the CBSA's experience gained NM D ! 
. With the administration of a similar program or activity. The | ~ 
| personal data collected will be limited to only that which is | | | 
| required.) | | | 
| 
i 


| | b) Categories and elements of personal information have been x | L | 
| _ described in the relevant PIB for the program or activity. | KI | 7 | 
| e] Controls and procedures will be implemented to ensure the | | | | 
| . CBSA does not collect more personal information than | : | 
| | necessary for the program or activity and that a continuing need | | | 
| | exists for the personal information and its collection. | : | 
= a ee Seen onan ONY eee ND DR ae ne 3 ae : 
| 4 and 5 | a) All of the requisite "Privacy Notices" and "Consent Statements" j | | 
: ^ that meet the requirements of sections 6.2.9 to 6.2.12 of the | x< | L] | 
| . Directive on Privacy Practices have been drafted. (Texts of the | : | 
| | notices and consent statements must be included as an annex.) | | | 
| , Fora copy of the CBSA Privacy Notice and Consent Statement | x ! 


| template, contact the ATI and Privacy Division. 


| | b) Controls and procedures have been implemented to keep 

| , records of individual consents, and to ensure that persons 

|! acting on behalf of individuals who do not have the capacity to 

: | provide consent have the authority to do so under section 10 of : 
| | | the Privacy Regulations. 


d 


| 7 IF A Records Disposal Authority (RDA) has on — by 

| : Library and Archives Canada to authorize the disposal of the B 
| records containing personal information for the program. | | 

| | b) Controls and procedures have been implemented within the | X4 

| [ program or activity and the CBSA ATI and Privacy Division to ` 

| : ensure that information that has been used for an | 

| administrative purpose will be kept for the minimum | Z 
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| | retention cared established by the a Regulations. | 

| | 0) Reference to the RDA, the retention period and the | | | 
| ——— standards for the program have been cited in the | | | 
| i 
| 8 Controls - élire d are in deb process of Die implemented | | | 
| | to ensure that the personal information associated with the |. ED o ; 
- | program. is as accurate, complete and up-to- -date as necessary. E | : 


pe SS» LIRE Dana ere ee eva ve RE EN A SD e A nm ENO ee RRNA 


ther Privas Considerations related to specific principles that are not explored in the previous 17 sections 
(these considerations should be explored in the Executive Summary) | 


i 
| 


! 


Pr cat 
| Openness | Describe lou thes results ofa any privacy impact assessment or | Xx | C] 

| | audit will be made available to the public. The Executive Summary | | 

! ` will be published on the external CBSA ATI and Privacy Division | | 

| _ Website at http://www.cbsa-asfc. gc.ca/agency-agence/reports- | 

| | rapports/pia- eivp/atip- "aiprp/pias- -sefp-eng. html | | 
———— ETÀ ites a a 


| Are policies and practices relating to the proposal's management X | [] | 
| | | 
| and handling of personal information available to the public? | 


eem, MERERI 4 8 um or meet aste m dest ^ cece sce a as T "REREAD e maint —————— EG A ARBOR ura eR Ay ER we D an —————— ae né 


| Is there a communications plan to explain to the public how 
| | personal information will be managed and protected? 


1 
TEES Frome SS un i tat e M re D ——ARARRRARRn 5 — RR 
Li 


n T Dimensions enema To 


| | Is there a clearly defined and easy process for individuals to access | 
| | such information and/or communicate with appropriate | 
E individuals with respect to policies and practices relating to 
| | management and protection of personal information? 


P HE RON E RENE a DNA m —À M MÀ MÀ MÀ —— MÀ À—ÀÀ— 


| | | Where appropriate, will public consultation take place on the 
| privacy implications of the proposal? 


— ARP nr EE STE TN 


À 1 E 
———À—— T——— aa en ras aan D ee me dr mm mr nl 


| | Individual's Access Is the system designed to ensure that an individual can Tm 
to | access to his/her personal information, including all other 

' programs or applications that have received copies of the 

_ information? s. 12(1) 


| 
H 
| 
i 


Personal 
information 


EE, SVP ONDON IN ec Sata AMOUR e V sunt SaL ESHER ov am PRAHA C. HA ed RER i came 2 ava uin sa fu s Need a 


| | | Are there documented Dire developed or sinned on how 
| | to make privacy requests or requests for the correction of 
| personal information? s. 12 (2) 
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| Are individuals Brovided: with access to their personal information 


E | in the official language of their choice? s. 17(2) | | | 
— — iud m e cl ea SERES ME E EE 
| ' If appropriate, are individuals provided with access to ober | | NU 
| , personal information i in an alternative format? s. VG) d | | 
| Challenging - | Are the complaint procedures for the proposed program or | 2S | 

| Compliance | Service consistent with legislated requirements? s. 29-35 | | 

EIE een IE CHEER RP dte uu M LA eMe E uS EA b M dts rH | Se AE, RR 

| . Toi improve information management practices and standards, | XI : 

: | has a procedure been established to log and periodically review | | | 
| | the nature, frequency and resolution of complaints? | | | 
E CET E te — m—— DE PEE E HERES a E ae —ÀdL7 asus m 
| : Are there oversight and review mechanisms implemented or | ÈI | E | 
| | available to ensure accountability? | j | 
g | Have oversight agencies, including the Office of the P Privacy | ü g | 
| ; Commissioner, issued reports or opinions on issues that would be | | 
i elevant to the proposal? Z | | 
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Annex B: Office of the Privacy Commissioner Expectations 


In their March 2011 document, Expectations: A Guide for Submitting Privacy Impact Assessments to the 
Office of the Privacy Commissioner of Canada, the OPC has expressed the importance of analysing the 
risks of the project, program or initiative against the ten universal privacy and fair information practice 
principles of the Canadian Standards Association Model Code for the Protection of Personal Information. 


The most relevant demonstration of the privacy risk and compliance analysis is the action plan. The OPC 
has said the following in their Expectations guide with respect to the action plan: 


Once privacy risks and their proposed mitigating measures have been identified, we expect to see 
an Action Plan drawn up by the institution, indicating a specific time frame for remedying or 
mitigating the risks that have been identified, and if possible, naming a specific person or staff 
position accountable for taking action. 


The action plan must list all privacy risks and compliance issues identified in the PIA and supplementary 
documentation. All risks and issues must be organized by the 10 universal privacy principles. 


All recommendations and proposed mitigation strategies must also be described in the action plan. 
Identify the responsible program area and the timeline for completion or implementation of the 
strategy. The ATI and Privacy Division will provide programs with an action plan template to be 
addressed near the end of the PIA process. 


The expectations of the OPC for each privacy principles are included below for your reference. 


Accountability | 

Under this principle the OPC would expect to see documentation of an administrative structure for 
privacy, including input from legal services, access to information and privacy and information 
technology branches within an institution, with defined processes for determining when new projects 
require PIAs, for carrying them out, implementing mitigating measures and auditing for assurance of 
compliance. We expect PIA reports to be signed off at the appropriate level, and that training in privacy 
issues and procedures has been documented and is refreshed with employees regularly; and that 
privacy protective language is included in all contracts with third parties handling personal information 
in accordance with TBS guidance documents and internationally accepted best practices; and that 
regularly scheduled privacy compliance audits will be undertaken and the findings acted upon. 


Identifying Purposes | 

The Privacy Act restricts federal government institutions to the collection of personal information that 
relates directly to an operating program or activity of the institution, so we would expect to see a clear 
description of the program and why each piece of information is needed; a description of the legislative 
authority for the collection; a clear listing of all the data elements collected; copies of any relevant 
documents such as application forms identifying the purpose for the collection or on-line notices of use; 
a Copy of an up to date PIB description; a statement of any proposed new consistent use of information 
previously collected and a clear rationale as to how the use is reasonable and directly connected to the 
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original collection -- this may include an analysis of how an individual to whom it relates would 
reasonably expect it to be used for that purpose; a statement outlining any intended secondary uses of 
the information; whether the information is collected directly from the individual and if not, why; and a 
description of how personal information used for planning, forecasting or statistical purposes would be 
anonymized or de-linked from individual identifying information. 


Consent 

This is closely tied to the Identifying Purpose principle. Under this principle, OPC would expect to see a 
copy of notification language on forms or websites; a clear description of the purpose for collection; a 
rationale for not seeking consent, as is provided for in the Privacy Act; for web sites, a copy of the 
Privacy Notice Statement under which personal information is submitted to the institution. 


Limiting Collection 

Under this principle, OPC would expect to see a clear justification of the need for each data element 
collected, in keeping with the requirement of the Privacy Act that no personal information is to be 
collected by a government institution unless it relates directly to an operating program or activity of the 
institution; an indication that a data minimization exercise has been undertaken to ensure that each 
data element is necessary and that this exercise will be refreshed regularly; and that information 
collected from another department for a secondary use will be purged of all but the essential data 
elements before use. 


Limiting Use, Disclosure and Retention 

Under this principle, OPC would expect to see a description of the specific uses and proposed | 
disclosures of the information; a clear statement limiting the use of the information to the purposes 
identified; a clear retention policy and disposition schedule that is also noted in the PIB; a process for 
destruction of the information that is in keeping with the Privacy Act and Regulations; copies of MOUs 
or agreements with third parties to whom information is disclosed governing its use, retention and 
disclosure, and clauses with contractors or sub-processors of information indicating the originating 
institution has the right to audit for compliance with privacy provisions. 


Accuracy 

Under this principle, OPC would expect to see a description of the process used by entities to ensure 
accuracy, particularly when administrative decisions are made; a description of how changes to records 
are logged and monitored; a statement of whether automated decision-making based on risk profiles is 
being undertaken and how automated decisions are vetted for accuracy; an explanation of the 
processes open to individuals seeking to correct information; a description of the process by which 
second or third parties to whom information has been disclosed will be notified of changes and 
corrections to the record; and a description of how audit trails of records transactions are monitored 
and evaluated. 


Safeguards 
OPC would expect to see under this principle a description of the physical and electronic Safeguards that 
are in place to protect information; a Threat & Risk Assessment (TRA) with emphasis on privacy risks and 
concerns and a discussion of how these concerns have been remedied or addressed; a notation that 
encryption is used for personal information both in transit and at rest; a description of how system logs 
of information transactions are monitored for inappropriate use, including viewing of the information; 
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strong electronic access control, including controls on remote access, and the use of mobile devices; 
policies for the use of portable storage devices such as flash drives; a description of role-based access 
controls; and a description of the steps taken to ensure complete destruction of the information at the 
end of its life cycle. | 


Openness 

Under this principle, OPC would expect to see a summary of the PIA written in plain, understandable 
language, posted on the institutional website in a manner accessible to the general public and 
containing a link to the relevant PIB description in CBSA Info Source; for particularly sensitive or privacy 
invasive programs we would expect to see the public communications plan described in the PIA, 
including a variety of methods such as posters, brochures and media announcements as well as detailed 
discussion of the PIA in the institution's Annual Report under the Privacy Act; a description of 
consultations with key stakeholders and the privacy risks or concerns raised should be readily available 
on the website; the name and contact information of an individual accountable for the handling of 
personal information should be easily obtained through the website or by calling the institution's main 
public number. 


Individual Access | 

Under this principle, OPC would expect the PIA to include a description of any informal process the CBSA 
may have in place for access to and correction of personal information; an up to date and 
comprehensive description of information contained in the PIB corresponding to the initiative; a 
description of the process by which information in the hands of third parties is corrected following 
requests; a description of how the general public is made aware of these processes, for example, by a 
link and/or a toll-free number shown on the home page of the institutional website. 


Challenging Compliance | 

OPC would expect to see the PIA address this principle by indicating clearly who is responsible for 
receiving and resolving privacy complaints; describing complaints that may have been received in any 
similar activity or pilot project and how they were handled; including privacy issues in project 
evaluations or feasibility reports; describing how and when compliance audits for privacy will be 
undertaken; including information on how to file a complaint with OPC under the Privacy Act; and 
reporting in some detail on specific and/or systemic privacy issues in its Annual Reports. 
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The Description section in a PIB describes the personal information in the records to which the bank 
relates. TBS has established the following categories of personal information, which give examples of 
specific elements of personal information that fall under each category. The purpose of the 
categories is to reduce the number of personal information elements that need to be listed in the 
Description section. These categories are representative of the personal information collected by 
most institutions, and they now appear in many of the CBSA registered PIBs. The ATI and Privacy 
Division modified the original list to reflect CBSA business lines. 


Biographical information (e.g. work history, curriculum vitae, family information, Passenger 
Information, etc.) 

Biometric information (e.g. blood type, eye or facial sca n, DNA, finger / hand prints, etc.) 
Contact information (e.g. work and / or home information, including postal and e-mail 
addresses, telephone, fax, cell phone numbers, etc.) 

Citizenship status or Nationality (e.g. citizen, landed immigrant, etc.) 

Crew detailed information 

Criminal checks / history (e.g. information related to criminal record checks, investigations, 
charges, conviction dates and locations, pardons, etc.) 

Date of birth 

Date of death 

Destination City 

Employee identification number (e.g. Personal Record Identifier) 

Employee personnel information (e.g. records of attendance and leave, notices of disciplinary 
action, alternative work arrangements, decisions concerning compensation and fitness for 
work, official languages qualifications, salary, deductions, level of security clearance, 
performance reviews and appraisals, rating board assessments, including evaluation notes 
from staffing boards, training and development course applications and evaluations, etc.) 
E-Ticket Information 
Financial information (e.g. income, investments, mortgages, loans, orders of garnishment, 
financial institution information for direct deposit and other banking purposes, including name 
and branch number of institution, account number(s) and name(s) on accounts, etc.) 

IBAS Case Number | | 

Gender 

Itinerary Cities 

Language (e.g. mother tongue, official and other languages, etc.) 

Medical information (e.g. psychological assessments, blood type, etc.) 

Name (e.g. last name (surname/family name), given names (first, second or more), maiden 
name, nicknames, aliases, etc.) 

Opinion or views of, or about, individuals 

Passenger Name 

Passport Number or Travel Document Number 

Place of ticket purchase 

Photos 
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Physical attributes (e.g. height, weight, color of hair and eyes, physical markings (scars, tattoos, 
body piercing), etc.) | 

Place of birth 

Place of death 

Port of Embarkation and Port of Debarkation 

Signature 

Social Insurance Number 

Special Travelling Considerations such as Employee Pass, ROUEN Pass and Parental Passes 

Visa Number 
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Annex D: Controls and Procedures Implemented to Limit Personal 
Information Collection 


Section 5, Question 2.2 requires CBSA to implement controls and procedures to ensure the CBSA does 
not collect more personal information than is necessary for the identified program/activity and that a 
continuing need exists for that information to be collected. | 


This section provides a brief description of the controls and procedures that have been implemented. At 
a minimum, this section will address the following: 


1. Procedures that clearly identify the need to collect, use, and disclose only the information 
necessary to perform a particular task; 

Procedures that identify and limit secondary uses of the personal information; 

Training to staff on those procedures; 


Regular (at least yearly) audits to ensure staff are abiding by those procedures; and 


zr ou» RS 


Regular (at least yearly) audits of other institutions' uses and safeguards of personal information 
shared with them as part of the processes identified in Section 4. Included in these audits is a 
determination if unauthorized secondary uses or disclosures have been performed by the 
institution. 


The NEXUS program is authorized under subsection 11.1(1) of the Customs Act and is also governed by 
the Presentation of Persons (2003) Regulations. The personal information collected will be used solely 
for the original purpose for which it was obtained which includes making a determination of eligibility 
into the voluntary NEXUS program or to assess or maintain existing NEXUS membership status. Further, 
a CBSA-CBP MoU for the Disclosure of Information for the Purposes of the Joint Alternative Presentation 
and Inspection Programs has been developed that describes the collection, use and disclosure of 
information for the purposes of the NEXUS program (see Schedule A of Supporting Documentation). 


The CBSA cannot collect more personal information than what is asked for in the application form (see 
Executive Summary for a detailed list of information collected); the information collected assists with 
the risk assessment and continued risk assessment of the client to ensure they are low risk at time of 
application and throughout their membership. 


All CPC staff are trained on the appropriate procedures for collecting, recording and storing of all 
personal information for the NEXUS program. Training procedures are retained on the CPC unit's 
shared-drive for access by new employees and/or workshop training/employee reference and are 
updated on a regular basis. Audits are conducted regularly to ensure procedures are followed by CPC 
staff. Formal sampling is conducted bi-annually with results reported to HQ. 


Under the Trilateral Trusted Traveller Arrangement, Canada, the U.S. and Mexico are developing 
controls and procedures with regard to limiting the collection of personal information (an MoU and an 
Operational Program Plan have been signed). Similar arrangements are being developed with the UK. 
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Annex E: Controls and Procedures Implemented to Documenting 
Consent and Withdrawal of Consent 


Section 5, Responses 4.3, 4.4, 5.2 and 5.3 require CBSA to implement controls and procedures ensuring 
the CBSA keeps a record documenting whether or not an individual provided consent when it was 
sought, including a record documenting any withdrawal of the consent. 


This section provides a brief description of the controls and procedures that have been implemented. 
At a minimum, this section will address the following: 

The purpose of the consent and the specific personal information involved; 

When is Consent Required? 

The sources who will be asked to provide the information, in the case of indirect collections. 


Purpose of the Consent. 


HL de. WD, qus qa 


Uses and disclosures that are not consistent with the original purpose of the collection and for 
which consent is being sought. | 


6. Any consequences that may result from Withholding consent. 
7. Any alternatives to providing consent. 


8. Identify standards and mechanisms that are in place to ensure an individual has the capacity to 
give consent. 


9. If information is being collected from persons authorized to act on behalf of minors, 
incompetents or individuals who have been deceased for less than 20 years, identify the 
mechanisms ensuring that such persons are authorized to act on behalf of such individuals who 
do not have the capacity to provide consent. 


10. Procedures for collecting and storing consent (either electronically, paper-based, or both). 


11. Procedures for collecting, recording, and storing withdrawal of consent, including notification to 
: the individual of the consequences, if any, of withdrawing consent. 


12. Training to staff on those procedures; 
13. Regular (at least yearly) audits to ensure staff are abiding by those procedures; and 


14. Standards and Mechanisms utilized to validate an individual’s legal authority to provide consent 
for a minor, incompetent person, and deceased person. 


To become a member of the voluntary NEXUS program, the applicant must provide consent on the 
application form (either by signing the paper form in the appropriate space or the filling of a form field 
for the on-line version). Therefore, the number of applications received would equal the number of 
consents. Paper-based applications are scanned and an electronic copy of the file is retained at the CPC. 
The U.S. CBP sends the number of applicants who applied through GOES to the CBSA ona regular basis. 
To see what personal information is asked on the NEXUS application form, please refer to Schedule C. 
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Consent is required to ensure that the applicant understands that the information gathered is used for 
the purpose of the operation of the NEXUS program and to conduct applicable checks and verifications 
to determine eligibility and continued eligibility in the NEXUS program as described in the Presentation 
of Persons (2003) Regulations. 


As noted in the Consent form, if the applicant does not consent to the collection, use and sharing of 
their personal information, their application cannot be processed and an authorization cannot be 
granted. When an applicant subsequently advises that they are unwilling to consent to the collection of 
personal information/data, the applicant is asked to provide a written request, either by e-mail or hard 
copy through facsimile or post requesting that they are withdrawing their consent. Their 
correspondence is placed on their file. 


Pursuant to sections 7(2) of the Presentation of Persons (2003) Regulations, a person may apply for an 
authorization (NEXUS card) on behalf of a child who is under 18 years of age. Section 7(2.1) deems that 
“A person may apply for an authorization.....on behalf of a person who is 18 years of age or more who 
has a mental or physical disability if the person who has the disability consents to the application or, if 
the person has been declared incompetent, a person who is legally authorized to act on the person's 
behalf consents to the application." 


All CPC staff are trained on the appropriate procedures for collecting, recording and storing of all 
personal information for the NEXUS program. Training procedures are retained on the CPC unit's 
shared-drive for access by new employees and/or workshop training/em ployee reference and are 
updated on a regular basis. Audits are conducted regularly to ensure procedures are followed by CPC 
Staff. Formal sampling is conducted bi-annually with results reported to HO. 


Under the Trilateral Trusted Traveller Arrangement, Canada, the U.S. and Mexico are developing 
controls and procedures with regard to documenting consent and withdrawal of consent (the 
Operational Program Plan is attached at Schedule OO). A similar arrangement is being developed with 
the UK. 
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Annex F: Controls and Procedures Implemented for Retention and 
Disposal of Personal Information 


Section 5, Response 7.2 requires CBSA to implement controls and procedures ensuring the CBSA 
maintains a record of personal information for a minimum of two years following the last administrative 
action or when the individual has consented to an earlier timeline for disposal. 


This section provides a brief description of the controls and procedures that have been implemented. 
At a minimum, this section will address the following: 


1. How the information is collected and maintained — paper and/or electronic storage. 
2. Description/Justification of the retention timeframe 


3. Description of how the records will be destroyed, including how the CBSA will be capable of 
determining when the time for disposal has arrived. . 5 


4. Description of any information which must be transferred to LAC. 
5. Training to staff on those procedures; 


6. Regular (at least yearly) audits to ensure staff are abiding by those procedures. 


NEXUS Retention Specifications have been developed to ensure that all of the GoC's financial and 
administrative, legislation and regulatory req uirements are complied with (see Schedule J). User activity 
of GEC and the CPCS within the CBSA can be monitored since the user making the modifications to data 
and the date and time of the modification are logged. Firewalls are used to protect the integrity of the 
data storage. Once information is modified by either the CBSA or the U.S. CBP, this information will be 
updated to other agencies' internal systems. 


Further, all CBSA policies relating to data storage, transmission and destruction apply to the personal 
information collected for NEXUS at enrolment, at the interview stage or at renewal. These policies are 
set out in the Security Volume of the Comptrollership Manual at http://atlas/cb-dgc/pol/cm-mc/sv- 
vs/index_eng.asp. A copy of this manual is also available upon request. These policies also relate to the 
TDC’s collected at passage. | | 


Presently, all paper applications and attached documents are scanned into an electronic library with an 
identification number and client name and may be readily retrieved and/or deleted when the retention 
period has been reached. Once scanned, the original hard copy of the application/document is 
shredded. Electronic files are retained for six years. NEXUS memberships are valid for five years — the six 
year retention timeframe is beneficial to verify data from the previous or initial application when a 
renewal or re-application is received at the CPC. The virtual filing system has been in operation since 
April 2012. When the retention period is reached, files may be filtered for destruction by searching the 
original entry date and/or the "Date Modified" feature. 
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Audits on storage and maintenance of files are currently conducted on a regular basis to ensure files are 
scanned, records are complete with all documents and corresponding correspondence in the virtual 
library and have not yet reached the end of the retention period. | 


Traveller Declaration Cards are retained in hard copy and archived for seven years, after which time they 
are destroyed in a secure manner. These practices follow established standards for the handling and 
destruction of financial documents. | | | 


Under the Trilateral Trusted Traveller Arrangement, Canada, the U.S. and Mexico will retain information 
received for the period stipulated by their respective national laws and applicable national 
administrative policy. In Canada, pursuant to the Privacy Regulations, the retention period is at least two 
years following the last time the personal information was used for an administrative purpose unless the 
individual consents to its disposal. At the end of the period for retaining the information, Canada, the 
U.S. and Mexico will destroy the information. A copy of Mexico's privacy statement for its Viajero 
Confiable program is included in the Operational Program Plan at Schedule OO. Similar arrangements 
are being developed with the UK. 


CBSA inherited RDA 2000/033 from the CRA and it was within the purview of the CBSA to apply the RDA 
during the time period ranging from 2003 to March 20, 2015. However, on March 31, 2015, Library and 
Archives Canada provided the CBSA with its first Disposition Authorization (DA). This institution-specific 
DA (2015/008) supersedes all authorities used in the past emanating from the CRA or IRCC. Acquiring a 
new RDA does not nullify the validity of any existing retention and disposition schedules under the 
previous RDA 2000/033, but they will now be enforced through DA 2015/008. At the end of the 
retention period, the business owner must complete the "Records Storage or Records Destruction" form 
and seek approval from the Director of the Office of Primary Interest and the Director of Information 
Management (IM) for disposition of the records. The IM Director will keep the signed forms for 10 years 
after the record(s) is/are destroyed as the disposition of information resources of business value must 
always be documented and approved before action. 
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Annex G: Controls and Procedures Implemented for Accuracy of 
Personal Information 


Section 5, Response 8.2 requires CBSA to implement controls and procedures when data accuracy 
measures are adopted with an individual authorized to act on behalf of the individual. 


Those controls and procedures must ensure that: 


1. the technique(s) and the specific source(s) used to validate or update the personal information 
are documented; 


2. individuals are given the opportunity, whenever possible, to request correction of any 
.. inaccurate personal information before the information is used in a decision-making process 
that affects them; 


3. personal information can only be modified or corrected by those within the CBSA who have the 
authority to do so; 


4. when personal information is corrected or annotated, the record of personal information 
indicates the date of the last correction or annotation and the source of the information used to 
make the correction or annotation; and | 


5. when personal information is corrected or annotated, other authorized holders of the 
information are notified about the correction or annotation and that all copies of the 
information in the possession of the CBSA are corrected / annotated. 


Responsibility for ensuring that the personal information for NEXUS members is accurate, complete and 
up-to-date rests with the individual member. Program members are informed of their responsibility to 
update information during the enrolment process. If a member does not update their information, 
sanctions may be applied as this affects the program's ability to conduct risk assessments to determine 
on-going eligibility. Information is updated at least every five years when members have the opportunity 
to renew their membership in the program. | 


As the responsibility for correcting or updating NEXUS membership in GEC rests with the individual 
member, the GEC system is not designed to ensure that the individual member is notified of the 
correction/update. Currently, when a NEXUS member wishes to correct or update their membership 
information (e.g. change an address or name) they may: request the correction/update electronically via 
GOES; contact the CPC or EC by facsimile or e-mail to request the correction or update (once received, 
the updated information is entered into the client profile in GEC and updated documents are scanned 
and added to the original electronic client file with the original copy being shredded); submit a 
renewal/re-application that contains corrected/updated information; attend in person at an EC. 


Under the Trilateral Trusted Traveller Arrangement, Canada, the U.S. and Mexico have developed 


controls and procedures with regard to the accuracy of personal information which is included in the 
Operational Program Plan (Schedule OO). Similar arrangements are being developed with the UK. 
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Annex H: Controls and Procedures Implemented to Limit Access to 
Personal Information 


Section 5, Response 9.1 requires the CBSA to implement controls and procedures to ensure that access 
to the personal information is limited to authorized individuals who need to know. These individuals 
have been identified in Section 4.6 of this PIA. 


This section requires a description of the controls and procedures utilized to ensure access is limited and 
that the employees are aware of and abide by the CBSA's Privacy Code of Ethics. 


Personal information can only be disclosed with the express consent of the individual to which that 
information pertains or pursuant to s. 107 of the Customs Act. 


1) CBSA: 
Access to data records is determined through user profiles. User profiles are used to govern the 
control and administration of personal and payment information. Only system administrators 
and authorized CBSA maintenance personnel have access to all data for system maintenance 
purposes. The number of maintenance users is kept to a minimum. These employees are | 
security screened to the appropriate level and receive security awareness training. Users are 
limited to accessing only data and services for which they have been authorized. Log records are 
maintained of all user access and any modifications to an individual's record. These records may 
be used for audit purposes. 
Procedures to identify and respond to security breaches or disclosure of personal information. 
may be found in the CBSA's ATIP procedures. The ATIP unit would also alert the Office of the 
Privacy Commissioner of any breaches. 


All program employees are aware of an individual's right to access their own personal 
information. Individuals are informed of their rights through the privacy statement on the 
application form, which explains how the information provided will be used and directs the 
member to InfoSource.gc.ca for information on how to access their own personal information. 


Log records are maintained of all user access and any modifications to an individual's record. 
These records may be used for audit purposes. 


2) U.S. CBP and GPO: 
Personal information is shared with the CBP as authorized by the applicant on the application 
form and is used to determine eligibility and continued eligibility in the NEXUS program. 
Personal information is also used by the GPO to print and issue the NEXUS card to members. 
The CBSA and CBP have developed an MoU for the Disclosure of Information for the Purposes of 
the Joint Alternative Presentation and Inspection Programs that describes the collection, use 
and disclosure of information (see Schedule A of the Supporting Documentation). 


3) Under the Trilateral Trusted Traveller Arrangement, Canada, the U.S. and Mexico have 
developed controls and procedures with regard to limiting access to personal information. 
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These are included in the Operational Program Plan at Schedule OO. Similar arrangements are 
being developed with the UK. 
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These are included in the Operational Program Plan at Schedule OO. Similar arrangements are 
being developed with the UK. 


Canada Border Services Agency 


Overt Use of Video Monitoring and 
Recording Technology 


Privacy Impact Assessment (PIA) 


Border Programs 
Programs Branch 
November 2013 / Version 14 


Overt Use of Video Monitoring and Recording Technology 


Change Control Table 


Change Made By 


| Lise Dupuy 


Change Requested By 


Heath Lariviere 


. Creation of 
. Document First 


. Revisions to 
: content 


Heath Lariviere and 
. Rob Gilbert (ATIP) 


. Revisions to - 
Content /Meeting - 
. with Rob - 


. Revision to 
. content (Section 


. Complete 
revision of 

. content, addition 
_ of risk mitigation 
. Section. 


. Conversion to 
. new template, 
. content 
additions. 


Additions to 
. content. 


. Conversion to 
. new template, 
. content 
additions. 


Additions to 
content. 


Additions to 
FX content. — — 


| Provide 
|. Comments 


. Change PIA to 
. video only. 

. Additions to 
content. 


_ Additions to 
' content. 


. Clarification | 
. concerning audio - 
| components of 
. video technology - 


Additions to 
. content. 


Oct. 16, 2012 


. Maureen Haley 


. Megan Imrie 


Addition to 
| executive 
| summary | 
| indicating CBSA - 
. will explore audio - 
. capture in future _ 


Canada Border Services Agency 


Overt Use of Video Monitoring and Recording Technology 


. Maria Romeo 


. Outstanding 

. changes from 
_ previous 
— ——— "— ———/UOEE comments — 
. Changes to 

. reflect ATIP 

. comments Feb 


. Changes to : 
reflect comments — 
from ATIP legal 
. Changes to : 
reflect comments — 
. from ATIP | 
` September 30 


Adam Norwick 


Oct. 16, 2012 


Nov. 20, 2012 


Dec. 13, 2012 : 


2013 


2013 


2013 


October 24, 
2013 


2013 


Canada Border Services Agency 


Darren Okabe 


Darren Okabe 


. Darren Okabe 
| Monica Rendon 
. Maureen Haley 


. Changes to 
reflect ATIP 
|. comments April 


. Maria Romeo 


. Kory Beecroft 


. Review of 

. additions to 
| executive 

| summary : 
| indicating CBSA - 
. will explore audio - 
— C es cr —— — —ÓÉ————— capture in future — 
. Additions to four- 
| part Oakes test. | 
. Separation of 

. Oakes test from 
. Executive 
Summary 


Stephane Martin . Changes based 
|. on internal : 
consultation with — 
| DGsDec7and | 


_ATIP comments 


. Changes to : 
reflect comments — 
from ATIP : 
. October 23 & 30; - 
and the addition 
| of interview room | 
audio, audio- | 
. video content 


November 12, - Changes to | 
| _ reflect comments — 


. from DGO 


Overt Use of Video Monitoring and Recording Technology - PIA 


Table of Contents 


DÉFINITIONS c————————————— x 
SECTION 1 - OVERVIEW AND INITIATION ...........eceeeeseen een n nemen nennen nnne nnne nnns 
JAKE SES EA ere a Me pu EM UM ELI M D LI ree I E M et 
SECTION 2 - RISK AREA IDENTIFICATION AND CATEGORIZATION .............. eee 
Type ofProgram OF VACUVIDV opus peto S E a beue ee near ec cu b uaa E Ucet 
Type of Personal Information Involved and Context... 
Program or Activity Partners and Private Sector Involvement............. 
DuratioH-of the Program. of Activity 252 e ane n eost acceda pee Pcr Pace code ere D ERES 
Program PODUlaEbIOE SRE bees u ot reto coton destin ardent A CO eases 
technology and'PEIMAENE ss oboe bn rete roin EE d E bites re ss b rectas but Sue ioc Hard 
Personal Information TrabSPlss Otro d treo el eec deas RNN 
Risk Impact to the Institution... iii 
Risk Impact to the Individual or Employee..…............ ss 
SECTION 3 - ANALYSIS OF PERSONAL INFORMATION ELEMENTS ................ccccescceeeceeeceeseceeeees 
SECTION 4 - FLOW OF PERSONAL INFORMATION iii oo 
4.1 Video Data Flow Model - Diagram... EUER Ya Ee Sea Enn VERRE ou Ee Y Uere Vv Rev Enn 
Video Data Flow Explanatory Notes... sis 
4.1a Audio and Audio-Video Data Flow Model - Diagram ............................. eere 
Audio and Audio-Video Data Flow Explanatory Notes "UV. 
4.2 Example of a Data Flow Model - Table... ss 
4.3 Internal Use and Disclosure 5 cid Ne Y ope iN Ne Opa aeu Medo Pede pe s E Cosi 
4.4 External Use and DISClOSUF8..... escort he ea actes e rn esu er thud ab rs pet 
A 5 RETENTION) SOMBRE oit aec notet mutter aude date aes 
4.6-Other Possible:-ConsideFlatlons sq isst nn a Gere epos atu ri mde eet ub 
SECTION 5 - PRIVACY COMPLIANCE ANALYSIS ..............ccccccceecccsccceseceeccenceeseceeceeseseeeceuseseesees 
Legal Authority For Collection Of Personal Information... 
Necessity To Collect Personal Information ss. 
Authority For the Collection, Use or Disclosure Of the Social Insurance Number ............... 
Direct Collection - Notification and Consent (as appropriate)... 
Indirect Collection - Consent or Authority Under Sec. 10 of Privacy Regulations ................ 
Indirect Collection - Without Notification and Consent..…............ 
Retention and Disposal of Personal Information... ss. 
Accuracy OF Personal IN OfMALON sanana he RF E ta om eda eoo a E proe de Dee et nc 
Use Or PersonablnfortatlOns s edere pa ec EDU tn needs cave Ind p e RAT E 
Disclosures Directly Related to the Administration of the Program or Activity ................... 
Accounting For New Uses or Disclosures Not Reported in Info Source... 
Sarepuards« Statement Of-Sensit VIEV «cn cite ce cius oti tentée tt Taie 
Safeguards - Threat and Risk Assessment... 
Safeguards - Administrative, Physical and Technical... 
Technology and Privacy - Tracking Technologies ........................eeeeeee 
Technology and Privacy - Surveillance or Monitoring .................... eee 
Considerations Related to Compliance, Regulatory Investigation, Enforcement ................ 
SECTION 6 - SUMMARY OF ANALYSIS AND RECOMMENDATIONS ................ eer ORT 


Canada Border Services Agency 


Overt Use of Video Monitoring and Recording Technology - PIA 


SECTION 7 - SUPPLEMENTARY DOCUMENTS LIST a 
SECTION: SS FORMALAPPROVA riea E O UM E hae 


Canada Borger Services Agency 


Overt Use of Video Monitoring and Recording Technology : PIA 


EXECUTIVE SUMMARY 


This PIA has been drafted using the Canada Border Services Agency’s (CBSA) Policy on the Overt Use of 
Audio-Video Monitoring and Recording Technology (AV Policy) as well as the associated Directives, the 
Privacy Act and the Privacy Regulations, the Customs Act (CA) and the Immigration Refugee Protection Act 
(IRPA) as references. The AV Policy was implemented on August 15, 2011, revised in November 2012 and 
has since been updated in July 2013 to formalize the deactivation of audio capture except within interview 
rooms. 


Over the past several decades, the CBSA and its predecessors have increasingly implemented the use of 
Closed Circuit Television (CCTV) technology to carry out its mandate and to ensure the protection of its 
assets and staff. The use of CCTV cameras to monitor facilities and operations are now an integral part of 
the CBSA’s security framework and operations management. 


CCTV cameras are located throughout CBSA operations; they monitor and record CBSA operations at ports 
of entry (POEs) and inland offices. Areas and activities that may be monitored or recorded include, but are 
not limited to: Primary Inspection Line (PIL) interviews, secondary examinations, interactions at CBSA 
information counters, cashier counters, commercial counters, detention cells, and interview rooms. 
Cameras may also monitor the movement of travellers and goods from one point in a CBSA operation to 
another, for example, from PIL to secondary. 


Audio is only captured in interview rooms during interviews that are conducted for criminal investigations 
or for the administration of immigration legislation. These interviews may be recorded using audio-only or 
a combination of audio and video. 


Protecting your Personal Information 

In order to carry out its mandate, the CBSA must collect a wide variety of personal information. The 
collection of this information is required in order for CBSA officers to make admissibility decisions 
regarding persons who wish to enter Canada and goods to be imported into Canada. For the most part, 
the information collected through the use of CCTV technology is already being collected by the CBSA in one 
form or another. 


All persons who wish to enter Canada are required to provide the following basic personal information: 
name; citizenship(s); country and place of residence; sex; and must also provide a piece of approved 
identification, such as a passport or enhanced driver’s license. Foreign nationals seeking entry to Canada 
may also be required to provide the following information: address, or address of destination in Canada; 
date of birth (age); marital status; employment status; criminal history; fingerprints; and, information 
related to accompanying goods entering Canada, including purchases made abroad. In all cases, the CBSA 
collects the personal information deemed necessary to make an admissibility decision. 


Through the use of CCTV technologies, the CBSA is also capturing the physical image of the traveller or 
member of the public, in addition to the other elements of personal information already collected. In the 
case of a recorded interview, conducted for criminal investigations or for the administration of immigration 
legislation, the individual’s voice is also captured. Within the CBSA, only those employees who require 
access to video recordings as part of their duties are permitted to do so as per CBSA policies and 
procedures. 


CBSA - Released under the Access to Information Act. 


ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 
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Some personal information collected through overt audio and/or video monitoring and recording activities 
may be used in support of an investigation regarding national security or criminal activity involving a 
member of the public or an employee. As a result, audio and/or video recordings may be disclosed to 
internal stakeholders, such as CBSA Investigations and Inland Enforcement, and external stakeholders, such 
as the RCMP or CSIS. Recordings may also be used as evidence in criminal proceedings against an 
individual whose information appears in the recording. 


Recordings will not be disclosed for any purpose that is not consistent with the purpose for which the 
information contained in the recordings was collected or for any purpose that is not consistent with 
section 107 of the CA where the information is considered to be “customs information,” or with subsection 
8(2) of the Privacy Act where the information is not considered to be “customs information.” 


Any access to or disclosure of video or audio-video recordings must be noted in an audio-video monitoring 
log. The log entry must include the date and time when the data was accessed, which segment of the data 
was viewed, by whom and for what reason. Persons who access recordings must identify themselves by 
name, and badge number if applicable. When a recording is disclosed, the authority for that disclosure 
must also be noted in the log. Auditing CCTV technologies is not a current practise, however, the audit of 
access and disclosure is envisioned to be part of the Port Program Assessment process, an integrated 
review of the current, national CBSA programs. 


Retention 

Recordings of any video monitoring activity must be retained for no less than thirty (30) days following the 
date of their creation. Equipment currently in use unable to meet this 30 day minimum requirement is 
exempt, however any new or replacement CCTV equipment purchased must be capable of storing data for 
this minimum retention period. Video, audio-video or audio-only recordings that are used by the CBSA 
(e.g., for evidence or administrative purposes) shall be kept for a minimum of two years following the date 
of its last use. Since audio recording is only conducted in the context of interviews, where an 
“administrative purpose” has already been established, the retention period will always be two (2) years 
following the date of last use. 


Right of Access 

All recordings, regardless of storage medium, must be stored either in a locked cabinet (or container or a 
safe) or in a secure room designed in accordance with specifications approved by the Infrastructure and 
Information Security Division of CBSA. 


Recordings will be securely retained in accordance with established policies and guidelines, and may be 
disclosed both within the CBSA and to our law enforcement partners, and in some cases to Airport or 
Bridge Authorities responsible for the facilities in which the CBSA operates. Although some Memoranda of 
Understanding (MOUs) exist to provide for the disclosure of CBSA information to our partners, the CBSA 
will endeavour to negotiate MOUs with each organization with which the CBSA shares video information. 


Individuals may formally request access to your personal information, or access to corporate records 
related to or created as a result of audio-video recordings by contacting the Access to Information and 
Privacy Division. More information about this can be found at: http://www.cbsa-asfc.gc.ca/agency- 
agence/reports-rapports/pia-efvp/atip-aiprp/menu-eng.html. In addition to the requirements specified on 
the Treasury Board of Canada Secretariat Personal Information Request form, individuals requesting 
information described by this bank must provide the subject and date of correspondence, incident and 
location and legal authority for those acting on behalf of an account holder or estate. 
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Accountability 

If individuals have concerns about the collection, use, disclosure or retention of their personal information, 
they may issue a complaint to CBSA Access to Information and Privacy Division. Complaints should be 
made in writing, and include their name, contact information, and a brief description of their concerns. 
Contact information for the Access to Information and Privacy Division at the CBSA can be found here. 


http://cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia-efvp/atip-aiprp/contact-eng.html 


To make a compliment, comment or complaint, the CBSA has made available a feedback form to help us to 
understand our clients and improve the delivery of our programs and services. Information on providing 
feedback can be found here. 


http://www.cbsa-asfc.gc.ca/contact/com-eng.html 


Please note that the CBSA is not currently capturing audio information outside of interview rooms where it 
is captured with the knowledge and consent of the person providing the statement. While the Agency 
continues to explore the use of audio, no decision has been made regarding its capture beyond interview 
rooms. Should the CBSA pursue with the intent of deploying audio technology, a PIA addressing the use of 
audio will be submitted to your office for your review and recommendations before activating any such 
equipment. 


The CBSA has posted a Video Recording and Monitoring Privacy Notice on their external website November 
19, 2012. This Privacy Notice outlines the use of, retention and disposal of and access to CBSA recordings; 


and includes a link to the PIB described in Info Source below: 


http://www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia-efvp/atip-aiprp/infosource-eng.html 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 
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CBSA - Released under the Access to Information Act. 
rtu de la loi aie : 


ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


The following is a list of abbreviations and acronyms used in this report: 


ABBREVIATIONS AND ACRONYMS 


Access to Information and Privacy 
Customs Act 

Canada Border Services Agency 
Criminal Code 

Canadian Security Intelligence Service 
Immigration and Refugee Protection Act 
Memorandum of Understanding 
Personal Information Bank 

Primary Inspection Line 

Port of Entry 

Royal Canadian Mounted Police 


Treasury Board Secretariat 
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DEFINITIONS 


This section provides definitions of the terms frequently used in this report: 


The Privacy Act defines an “administrative purpose” to be the use of an individual’s personal 
information in a decision-making process that directly affects that individual. 


Is a use that has a reasonable and direct connection to the original purpose(s) for which the 
information was obtained or compiled. This means that the original purpose and the proposed 
purpose are so closely related that the individual would expect that the information would be used 
for the consistent purpose, even if the use is not spelled out. 


- Customs Information Means information of any kind and in any form that relates to one or more persons and is obtained 

by, or on behalf of, (i) the Minister for the purposes of the Customs Act or the Customs Tariff, or (ii) 
the Minister of National Revenue for the purposes of debts due to Her Majesty under Part V.1 of the 
Customs Act, or any information that is prepared from the information described above. 


Event As defined in the AV Policy, means any occurrence that may reasonably be expected to require 
| further action by the CBSA or that may reasonably be expected to go to court or to a tribunal and that - 
justifies reviewing video data. An event may include, but is not limited to, the following: arrest of a | 
traveller, national security incidents, assault on or hindering an officer, altercations between 
members of the public, use of force incidents, discharge of a duty firearm, vehicle searches resulting 
in enforcement action, verbal complaints, port runners, medical emergencies and environmental 
catastrophe. 


- Info Source Is a series of annual Treasury Board Secretariat publications in which government institutions are 

: required to describe their institutions, program responsibilities and information holdings, including 
PIBs and classes of personal information. The descriptions are to contain sufficient clarity and detail 
to facilitate the exercise of the right of access under the Privacy Act. Data-matching activities, use of 
the SIN and all activities for which privacy impact assessments were conducted have to be cited in 
Info Source PIBs, as applicable. The Info Source publications also provide contact information for 
government institutions as well as summaries of court cases and statistics on access requests. 


| Personal Information Bank Is a description of personal information that is organized and retrievable by a person's name or by an - 

- identifying number, symbol or other particular assigned only to that person. The personal information - 
described in the personal information bank has been used, is being used, or is available for an | 
administrative purpose and is under the control of a government institution. 


| Transitory Record As defined by Library and Archives Canada and for the purposes of this policy are those audio-video 

| records that have no enduring value to the CBSA. They are records that are required only for a 
limited time to ensure the completion of a routine action or the preparation of a subsequent record 
but do not include records that are required to control, support or document the delivery of 
programs, to carry out operations, to make decisions, or to account for activities of government. 
(Source: MIDA 2.1, 4. Definition) 


Primary Inspection line The term "Primary Inspection Line" is used to refer to the point at which the person entering Canada 
| makes a report of his or her person and goods as required under the Customs Act and the IRPA. The 
CBSA has PIL booths from which officers conduct primary examinations. 
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SECTION 1 - OVERVIEW AND INITIATION 


Government Institution: Canada Border Services Agency 


Government Official Responsible for the Privacy Head of the government institution / Delegate for 
Impact Assessment section 10 of the Privacy Act 
Barry Kong, Compliance and Program Dan Proulx, ATIP Director, CBSA 


Management Director, CBSA 


Name of Program or Activity of the Government Institution: 


Use of Overt Video Monitoring and Recording Technology 


Description of Program or Activity: 


The CBSA uses overt video monitoring and recording technologies in support of existing programs as an integral 
part of its security framework and its operations management in order to ensure the integrity of the Canadian 
border. The use of overt video monitoring and recording technologies supports the Enforcement, Facilitated 
Border, and Conventional Border programs, and increases the CBSA’s ability to meet its mandate and its ability to 
protect the public, its employees and its assets. 


Cameras monitor and record CBSA operations at ports of entry and inland offices. Areas and activities that may be 
monitored or recorded include, but are not limited to: PIL interviews, secondary examinations, interactions at CBSA 
information counters, cashier counters, commercial counters, detention cells, and interview rooms. 


The CBSA captures limited audio information in the execution of its mandate under the Canada Border Services 
Agency Act. Specifically, interviews, which are conducted in the enforcement of the Customs Act, the Immigration 
Refugee Protection Act (IRPA) and other CBSA program legislation, may be recorded by audio-only or by video in 
combination with audio. 


Criminal Investigation 


An individual who is the subject of, or a witness to, a criminal offence is not obligated to provide information 
related to that offence; it is provided voluntarily with the individual’s consent, otherwise it would not be admissible 
as evidence. 


Before the statement can be admissible as evidence, the court must be satisfied that it was made freely and 
voluntarily. The rules governing the admissibility of statements (commonly referred to as the “Judges Rules”) are 
applicable to all statements made to a person(s) in authority. A person in authority is generally accepted to mean 
anyone connected with the arrest, detention, examination or prosecution of the subject or anyone whom the 
subject believes may influence the case. 


To ensure that a statement is considered voluntary, officers must be able to prove to the court that the statement 
was made without fear or inducement. In this regard, an inducement can be described as anything said or done by 
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a person in authority, which would lead the subject to believe his position with respect to the charge will be better 
or worse dependent on the uttering of the statement. 


There are no consequences to failing to provide a statement; however, the Criminal Code creates offences related 
to misleading or obstructing justice by making false statements. The individual is made aware of these 
consequences. 


An individual who is subject of an investigation is read the standard caution against making statements and 
informed that the information they provide may be used as evidence. The standard caution for CBSA officers is 
provided below although the standard caution used by the police agency of jurisdiction may also be read. 


You need not say anything. You have nothing to hope from any promise or favour, or nothing to fear from 
any threat, whether or not you do say anything. Anything you do say may be used as evidence. Do you 
understand? 


In addition to providing the statement voluntarily, the individual also provides verbal or written consent for their 
statement to be recorded. 


Administration of IRPA 


An individual making an application under IRPA, which includes seeking to enter Canada and making a claim for 
refugee protection, is obligated to provide certain information as part of that application. Failure to provide that 
information can result in the application being rejected, which could include the individual being found 
inadmissible to Canada. Persons who knowingly refuse to answer a question put to them at an examination can be 
charged with an offence under section 127 of IRPA. Individuals are counseled on the consequences of failing to 
provide information at the commencement of the interview. Notification and verbal consent is obtained at the 
outset of all audio-recorded interviews. Individuals are also informed of the purpose for which the information 
they provide will be used. 


TARGETING 


The Targeting Program identifies people and goods bound for Canada that may pose a threat to the security 
and safety of the country. The CBSA uses a number of automated advance information sources from carriers 
and importers to identify people, goods and conveyances that may pose a threat to Canada. Advance 
Passenger Information and Advance Commercial Information provide the CBSA with electronic pre-arrival 
information on people and goods that can be used to perform risk assessments in advance of their arrival in 
Canada. Known threats are identified when there is a match against an enforcement database entry. People 
and goods that are identified as posing a threat to Canada are referred for verification and examination 
upon their arrival at a port of entry. 


Note: This should align with the program named and described in the institution’s Info Source Chapter as required under section 5 of the 
Access to Information Act. For institutions that develop a Program Activity Architecture (PAA) as per the Management, Resources, and 
Results Structure Policy, the institutional Info Source chapter must align with the programs, activities and sub-activities described in the PAA. 
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Description of the class of records associated with the program or activity: 


CBSA BPD 1101 


Records include audio/video footage of CBSA operations including primary inspection line (PIL) interviews; 
secondary examinations; interactions at CBSA information counters, cashier counters, commercial counters, 
in detention cells, and in interview rooms to record audio statements made under the Immigration and 
Refugee Protection Act (IRPA). 


Class of Record Number: CBSA BPD 1101 


Proposal for a New Personal Information Bank 
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TBS Registration: 20110287 
Bank Number: CBSA PPU 1104 


Description: This bank describes information that is used in support of audio-video, audio only and video 
only overt surveillance recordings generated by overt audio-video recording systems at CBSA ports of entry | 
and inland offices. The personal information may include name, contact information, biographical 
information, citizenship status, gender and criminal checks/history, date of birth, educational information, - 
employment equity information, financial information, medical information, physical attributes and place of 
birth. 
Note: In addition to the requirements specified on the Treasury Board of Canada Secretariat Personal 
Information Request form, individuals requesting information described by this bank must provide the 
subject and date of correspondence, incident and location and legal authority for those acting on behalf of 
an account holder or estate. 
Class of Individuals: General public, all non-CBSA employees working in affected areas and all off-duty CBSA | 
employees i in accordance with paragraph 3(j) of the Privacy Act. 
Purpose: The personal information is used to provide services for the overt audio-video surveillance 
activities. Personal information is collected pursuant to 5(1)(a) of the Canada Border Services Agency Act. 
Consistent Uses: The information may be used or disclosed for the following purposes: enforcement, 
reporting to senior management, safety, security and program evaluation. Audio-video recordings may be | 
shared with Canadian Security Intelligence Service (CSIS), Royal Canadian Mounted Police (RCMP) and other 
Federal law enforcement Agencies for investigative and enforcement purposes. Audio-video recordings may 
be shared with provincial law enforcement agencies for the purpose of enforcing federal and/or provincial - 
law. Audio-video recordings may be shared with municipal or regional law enforcement agencies for the 
purpose of enforcing federal and/or provincial law. Audio-video recordings may be shared with Canada 
Border Services Agency (CBSA) Investigations and Intelligence to enforce federal and/or provincial law and 
with Security and Professional Standards to conduct administrative Investigations into employee 
misconduct. 
Privacy Impact Assessment (PIA): The development of a PIA is in progress. The expected completion date is | 
November, 2013. 
Retention and Disposal Standards: Recordings of any video monitoring activity must be retained for no less 
than thirty (30) days following the date of their creation. 

Note: This clause does not apply to audio-video technology already in use that is unable to meet this 
requirement. Any new or replacement audio-video monitoring and recording equipment purchased 
following the implementation of this policy must be capable of storing data for the minimum retention 
period. 

Recordings that are used to obtain or provide information or to investigate an allegation or complaint, or 
used as evidence in respect of an identifiable individual shall be kept for the longer of two (2) years 
following the date of their creation, or following the date of their last use in an administrative action as 
information or as evidence in respect of that person. 

RDA Number: Currently under development. 

Related Class of Record Number: CBSA BPD 1101 

TBS Registration: 20110287 


- Please note that the above PIB is currently under review. 


| | Proposed new Standard Personal Information Bank 
| | Proposal to modify an existing Standard Personal Information Bank - identify Standard PIB number and current 
description: 
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N/A — all records are institution specific. 


Legal Authority for Program or Activity: 


Note: Prior to proceeding with the assessment it is essential that Parliamentary authority for the relevant program or activity be established. 
Generally, Parliamentary authority is usually contained in an Act of Parliament or subsequent regulations, or approval of expenditures 
proposed in the Estimates and authorized by an Appropriations Act. If legal authority is unclear consult your Legal Service to determine 
authority for the program or activity. (See question 1 of Section V) 


Summary of the project / initiative / change: 


The CBSA works to promote the free flow of travellers and goods, into and out of Canada, while ensuring 
that security measures are in place to stop and remove potential threats. Keeping Canada's border open to 
travel and trade, but closed to criminal activity requires the CBSA to manage border operations effectively. 


With a workforce of approximately 14,000 employees, the CBSA provides services at 1,200 points across 
Canada. The CBSA also administers more than 90 acts, regulations, and international agreements, many on 
behalf of other federal departments and agencies, the provinces, and the territories. In fiscal year 2011- 
2012, the CBSA processed 98 million travellers and 13 million commercial shipments. 


The CBSA uses overt video monitoring and recording technologies in support of existing programs as an 
integral part of its security framework and its operations management in order to ensure the integrity of 
the Canadian border and the health and safety of its employees as well as that of the travelling and 
Canadian public. The use of overt video monitoring and recording technologies increases the CBSA's 
ability to meet its mandate and its ability to protect the public, its employees and its assets. 


Cameras monitor and record CBSA operations at POEs and inland offices. Areas and activities that may be 
monitored or recorded include, but are not limited to: PIL interviews, secondary examinations, 
interactions at CBSA information counters, cashier counters, commercial counters, detention cells, and 
interview rooms. Cameras may also monitor the movement of travellers and goods from one point in a 
CBSA operation to another, for example, from PIL to secondary. 


Cameras assist the CBSA in ensuring the integrity of the border by capturing information relating to 
persons who contravene sections 11 and 12 of the Customs Act (CA) and section 18 of the Immigration 
and Refugee Protection Act (IRPA) by failing to present themselves and their goods for examination at the 
border. Cameras help detect threats to the health and safety of CBSA employees and the public, and 
information captured can be used to assist in the investigation of illegal activity committed in relation to 
the legislation enforced by the CBSA. 


Cameras will not be placed in any area where CBSA business is not conducted, or in any area where there 
would be a heightened expectation of privacy, such as public or employee washrooms, lunch rooms and 
locker rooms. Information related to travellers, facility employees (non-CBSA) or other members of the 
public (transport drivers, flight attendants, brokers clearing goods, etc.) is considered to be personal 
information as defined in section 3 of the Privacy Act. For the purposes of this activity and this PIA, any 
CBSA employee information captured in video recordings that relates to the function or the position of the 
employee is not considered to be personal information, in accordance with paragraph 3(j) of the Privacy 
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Act. Any information captured related to an employee that does not specifically relate to his/her function 
or position will be treated as personal information per section 3 of the Privacy Act. 


The CBSA recognizes that it has broad authorities to stop, question, search, detain and arrest travellers 
and seize goods and information in the border context. It further recognizes that, in order to carry out its 
mandate to ensure the safety and security of the Canadian border, it collects and is entrusted with a wide 
variety of personal information. The CBSA is committed to adhering to all privacy laws and to ensuring not 
only that individuals are appropriately notified of any collection of personal information, but that all of the 
information collected is appropriately protected. 


The overt use of video monitoring and recording technology is not a new activity. However, despite the 
fact that the CBSA is already using this technology, there has been no overarching policy to guide the use 
of equipment and recordings, or their retention, disclosure and disposal. The CBSA has decided to conduct 
this PIA in order to ensure that the privacy risks associated with collecting, using, and disclosing personal 
information in the form of video recordings are adequately addressed. 


The information collected through this activity supplements the information that the CBSA is already 
collecting. The only new information being captured through this activity is a record of the physical 
images of individuals who interact with the CBSA at service locations. All other information discussed in 
this PIA is already being collected in one form or another. 


When authorized by law, video recordings may be disclosed within the CBSA for various enforcement- 
related purposes such as the investigation of CA or IRPA offences. Video recordings may also be disclosed 
outside the CBSA to our law enforcement partners for the purposes of investigation of Criminal Code (CC) 
and other federal offences, as well as for the purposes of prosecution of those offences. In addition, in 
some cases recordings may be disclosed to private sector organizations such as Airport or Bridge 
Authorities, when agreements are in place to support lawful information sharing, and only when such 
sharing is necessary. 


This PIA reflects the CBSA’s overt use of video monitoring and recording technology at POEs and inland 
offices across Canada as of August, 2011. 


This PIA has been drafted using the AV Policy as well as the associated Directives, the Privacy Act and the 
Privacy Regulations, the Customs Act and the Immigration Refugee Protection Act as references. The AV 
Policy was implemented on August 15, 2011 and revised in July 2013 to formalize the deactivation of audio 
capture except within interview rooms and strengthen direction on retention, access and prohibited use 
for private conversations. 


Stakeholders include: local, provincial and federal law enforcement agencies, CBSA Investigations, CBSA 
Intelligence, CBSA Security and Professional Standards Directorate, Airport and Bridge Authorities where 
the CBSA operates. 
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OAKES TEST 


The CBSA also offers the following in answer to the four part test regarding video surveillance of public 
places: 


1. Isthe measure demonstrably necessary to meet a specific need? 


Yes, over the years that the CBSA has used overt video monitoring and recording, it has proven 
itself demonstrably necessary to support its programs and operations. Specific needs include the 
safety of CBSA officers and the public in CBSA operational areas, the security of CBSA buildings and 
equipment, and the evidence to support seizures or prosecutions under the Customs Act, the 
Immigration and Refugee Protection Act and the Criminal Code. 


The Dziekanski incident at Vancouver International Airport (VIA) demonstrated that video 
recordings were necessary to assist in the initial investigation of the Vancouver Airport Authority, 
the CBSA and RCMP, and the Braidwood Inquiry which followed. In this inquiry it was noted that 
video footage of Mr. Dziekanski in the Customs Hall showed "nothing to indicate that he was 
unsteady on his feet (i.e., that he was ataxic), which is usually the case with cerebellar 
degeneration." 


This unfortunate incident and the following results of the Braidwood Inquiry brought sweeping 
changes to the Standard Operating Procedures (SOPs) of airport authorities and the CBSA. Along 
with the installation of an information booth for travellers, improved language services and more 
patrols, the CBSA made improvements to the closed-circuit television system to better allow staff 
to observe the passenger hall. The CBSA hall now has — cameras which record 24-hours-a-day. 
These recommended changes enhance the safety of travelers and officers and the security of CBSA 
buildings and equipment at VIA as well as at other international airports across the country. 


Formal investigations of certain CBSA officers for alleged criminal acts demonstrated that the video 
monitoring and recording of officer conduct while performing their duties are necessary to ensure 
a culture of professional integrity amongst its employees. Proper officer conduct directly affects 
the image of the agency and Canada itself and directly influences the safety, security and overall 
border experience of travellers. 


A recent court case, for example, involving an on duty Border Services Officer at the Port of 
Douglas in B.C., demonstrates the necessity of video monitoring and recording. In 2007 it was 
alleged that a male officer brought 4 female travellers offsite to a public washroom or dimly lit 
fenced area on separate occasions and sexually assaulted 3 of them. Earlier in the trial, a woman 
testified that she was instructed by the officer to cross a road to a men's washroom to be strip 
searched. Video footage was later played in court showing the officer cross the road and 
immediately after, a woman crossing. The officer explained under oath, that he was likely grabbing 
a Coca-Cola and batteries from his car. However, video evidence showed that the officer did not 
have a can of pop with him upon returning to the CBSA building. The Crown called his actions "an 
appalling abuse of authority" and said the women only agreed to the ordeals under duress. The 
jury found the officer guilty of 3 counts of sexual assault and 1 count of breach of trust. The video 
evidence, contrary to the officer's statements, provided the jury a reasonable doubt that the 
officer's testimony was truthful. 
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2. Is it likely to be effective in meeting that need? 


Yes, in addition to meeting the needs stated above, overt video monitoring and recording should 
encourage compliance with border related legislation, while supporting the safety and security of 
officers and travellers. 


Remote border locations, for example, 

depend on CCTV technology to support the security of the border by capturing images of 
vehicles, license plates and travellers who cross without authority and to increase the safety of 
officers. CCTV technology aids in the protection and safety of officers not only in these remote 
locations but helps secure ports of entry across the country. For example, designated telephone 
reporting sites where no officers are present would benefit from using CCTV technology to 
supplement the telephone reporting information of persons seeking to enter Canada at marinas or 
wharfs. Even at large ports of entry, where travellers amount in the millions crossing per year, the 
CBSA depends of CCTV technology to support officer and traveller safety. 


CCTV also protects equipment owned by the CBSA. Server rooms for instance, at times containing 
thousands of dollars of computer servers and in locations where CCTV is used, digital video 
recorders containing hundreds of hours of video footage, are in locked rooms. Updated facilities, 
mostly the newest larger ports have cameras located in these rooms to help keep this equipment 
secure. CCTV is also used at ports which have secure bond locations (locked rooms or securely 
gated areas for detained or seized goods) and with the introduction of arming for officers, some 
ports have dedicated arming rooms to ensure that Agency firearms are safely and securely stored. 


Human rights complaints, for example, are vetted through the Human Rights Complaints 
Commission which evaluates the evidence submitted in discrimination complaints. The 
Commission requests that officers prepare accurate and complete notes detailing why certain 
actions were taken during a given incident i.e., referral, personal search, questioning etc. These 
notes and other documentation, including video surveillance, play a key role in the preparation of 
submissions to the Commission in defending the CBSA's position. 


Even if the Commission is unaware of video surveillance, this evidence may still play a key role in a 
tribunal's decision. For instance, the existence of video footage of an individual seeking entry to 
Canada in 2005 was revealed 4 years later at her human rights tribunal in 2009. Her story is that of 
particularly harsh treatment during an unexplained vehicle scan at the port of entry in Cornwall, 
ON. The now 8 year old video footage was recently shown at the tribunal in August, and as of 
September 2013 the hearings continue. 


Compliance with border related legislation is not only for the travellers crossing the border. A 
former Border Services Officer was sentenced in 2012 to 14 years imprisonment for his part in 
facilitating the smuggling of narcotics by 3 other accomplices. The Crown highlights the level of 
sophistication involved in the scheme, in particular "(his) actions at the border to wave Johal and 
Riar through and his pretending not to know either of them." Video evidence in this case was 
essential in providing the court with the timeline of the event and the relation between officer and 
travellers, from the time the officer entered the booth, to his personal cellphone use, up to the 
facilitated crossing of his two accomplices. CCTV technology was used successfully to regain the 
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public’s confidence to enforce the law in an objective manner and keep hundreds of kilograms of 
cocaine off the street. 


3. Is the loss of privacy proportional to the need? 


Yes, in fact the loss of privacy is minimal given the lower expectation of privacy in a border crossing 
context. 


The CBSA fulfills its mandate through the administration or enforcement of over 90 Acts and 
Regulations. As a result the Agency is responsible for numerous and complex programs and 
operating activities. In addition to contending with the breadth and complexity of its mandate, the 
CBSA must also deliver these programs on a very large scale. In fiscal year 2012-13, the CBSA 
provided border-related services for close to 100 million travellers and 14 million commercial 
releases as well as 36 million courier shipments and 44 million postal shipments arriving at our 
land, air, rail and marine ports of entry. The CBSA relies on CCTV to help us deliver our programs in 
the face of these pressures. 


Video monitoring and recording only takes place where CBSA business is conducted and to 
safeguard CBSA buildings and equipment at POEs and inland offices. Personal information already 
collected at POEs includes a traveller’s name; citizenship(s); country and place of residence; sex; 
and must also provide a piece of approved identification, such as a passport or enhanced driver’s 
license. Persons seeking entry to Canada may also be required to provide the following 
information: address, or address of destination in Canada; date of birth (age); marital status; 
employment status; criminal history; fingerprints; and, information related to accompanying 
goods entering Canada, including purchases made abroad. CCTV technology, in addition to the 
elements mentioned, also captures the physical image of the traveller which is necessary in 
identifying individuals involved in CBSA events, whether safety and security related or as evidence 
to support seizures or prosecutions. In all cases, the CBSA only collects the minimum amount of 
personal information required to make an admissibility decision or in the case of video, the 
minimum amount required to identify and if necessary provide evidence for court purposes. 


The recent shooting of a Border Services Officer in B.C., objectifies the need for this type of 
surveillance. The video footage apparently shows that the shooter immediately shot the officer 
after pulling up in his vehicle to the inspection booth. The officer had no warning and no chance to 
react. Luckily, the officer survived the attack and was later interviewed by police. However, 
victims of crime cannot be relied upon to recall the event as it truly happened, as understandably, 
they have suffered physical and mental trauma and are likely in a state of mental shock. An honest 
recollection of the event may be incorrect. The video surveillance offers the only true insight as to 
what actually happened. It can be slowed down, played frame by frame and if need be, digitally 
enhanced. Eye witness accounts are most likely of events post gunfire, and though any 
recollection of such events are often enhanced by adrenaline, at the same time this recall may be 
tainted by emotions, in this case fear, opening up any testimony to scrutiny. 


4. \s there a less privacy-invasive way of achieving the same end? 


No, overt video monitoring and recording at port of entry locations cannot be achieved by any 
other less privacy-invasive technology to achieve the same end. 
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The safety of officers and the public in CBSA operational areas, for example video recordings of Mr. 
Dziekanski at Vancouver International Airport, could not have been achieved in a less-privacy 
invasive way. Recordings of Mr. Dziekanski provided invaluable evidence at the Braidwood Inquiry 
to corroborate the testimony of witnesses in reference to Mr. Dziekanski's location and time of 
arrival and departure from the hall. Video also provided evidence, again in support of witness 
testimony, regarding Mr. Dziekanski's possible state of mind during his time in the baggage claim 
area. With thousands of travellers arriving per day through customs and immigration and the 
amount of hours that Mr. Dziekanski spent in this area, it seems likely that no amount of physical 
presence (e.g. supervisors) in the hall could have provided evidence of location and time as 
accurately as video recordings. 


Cameras in designated currency counting areas for example provide an unbiased view of the 
sometimes large sums of currency being handled by officers enforcing the Proceeds of Crime 
(Money Laundering) and Terrorist Financing Act (PCMLTFA). Officers consider the cameras as a 
safety net for unfounded complaints from travellers who report currency missing and alternatively, 
travellers who recognize the CCTV cameras appreciate the added security of their money. When 
counting currency, enforcement policy recommends this action be in presence of the client and 
another ‘observing’ officer. While this recommended procedure is less privacy-invasive, this is not 
always possible and would not deter allegations from travellers that both officers are corrupt. 


The security of CBSA buildings and equipment can be achieved by having a security guard posted in 
all sensitive areas/buildings, 24 hours a day, 7 days a week. This would be equally as effective as 
video monitoring; however it may not be as less-privacy invasive. The guard can see and hear 
more than what is overtly monitored as the camera feed is video only and the view is most likely 
static. The image may also be low definition and the subject too far away, below the camera or 
beyond the field of view. Also a guard can move towards a subject and speak with them; asking 
who they are and what are they doing here etc. Building security video recordings are used 
successfully as evidence for court purposes as long as the authenticity of the recording is 
unquestionable. 


As stated, recorded evidence for example, which can support seizures or prosecutions in a court of 
law cannot be achieved in a less-privacy invasive way. The physical image of a person committing 
alleged actions is undoubtedly hurtful to the case of the accused. Eyewitness testimony has 
proven to be easier disputed in court! and therefore less reliable than today's digital imaging 
technology. 


1. Laura Engelhardt, “The Problem with Eyewitness Testimony," Stanford Journal of Legal Studies Vol. 1.1 
(December 1999): 25-30 


The CBSA also offers the following in answer to the four part test regarding the recording of interviews: 


Is the measure demonstrably necessary to meet a specific need? 


Yes. In the case of either a criminal investigation or an administrative process under IRPA, there is a 
need to accurately record the information an individual provides during an interview so that it can be 
used as evidence in the associated proceeding (e.g. court or administrative tribunal, etc.) Recording 
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the interview, using either audio-only or audio-video recording technology provides the most 
objective and reliable method for meeting that need. 


In the criminal context, the Supreme Court has recognized the benefits of recording interviews as a 
means of assisting the courts in monitoring interrogation practices and protecting against 
untrustworthy confessions.’ The Youth Criminal Justice Act codifies this as a requirement with 
respect to statements made by persons less than 18 years to ensure the statement was provided 
voluntarily and that the young person understood the impact of waiving his or her right to 
counsel.” 


Even though no penal liability applies in the administrative context under IRPA, it is still important 
to create an accurate record of a statement to protect the fairness of the administrative process. 
Information provided in an interview may confirm or disconfirm an individual’s admissibility to 
Canada and may be used as evidence in decisions made by the Minister’s Delegate, Immigration 
Division, Refugee Protection Division and possibly the Federal and Supreme Courts of Canada 
should the decision be appealed. 


Is it likely to be effective in meeting that need? 


Yes. Recorded interviews provide an accurate and objective record of the information provided 
during the interview and the interaction between the individual and the officer that is easily 
reviewed by the courts or other relevant decision-maker. 


Is the loss of privacy proportional to the need? 


Yes. The intrusion on privacy is not significant greater than it would be with the traditional practice 
of conducting an interview with the officer taking detailed notes. More information is captured 
during a recorded interview (e.g. tone of voice, image of the officer and individual, body language, 
etc.) but this information is important to establishing an objective record. These aspects provide 
the court or other administrative decision-maker with useful information in considering the 
admissibility of the statement, the conduct of the officer, the context of a given statement, 
etcetera. 


In this respect, the practice of recording an interview protects both the investigating agency and 
the individual being interviewed. 


Is there a less privacy-invasive way of achieving the same end? 


No. Many interviews are not recorded and the officer makes detailed notes to provide a record. 
This is effective in capturing the significant content of the interview but is not as effective in 
providing a complete and objective record of the interaction. 


1 R. v. Oickle, 2000 SCC 38, [2000] 2 S.C.R. 3 
? Youth Criminal Justice Act s. 146(4)(a) and (b) 
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SECTION 2 - RISK AREA IDENTIFICATION AND CATEGORIZATION 


For Section 2, please check the appropriate box that describes the level of risk related to your program or 
activity and provide details as indicated in yellow. 


Type of Program or Activity Level of Risk 


- Program or activity that does NOT involve a decision about an identifiable individual EE! 


Personal information is used strictly for statistical / research or evaluations including mailing list where no 
decisions are made that directly have an impact on an identifiable individual. 


The Directive on PIA applies to administrative use of personal information. The Policy on Privacy Protection 
requires that government institutions establish an institutional Privacy Protocol for addressing non- 
administrative uses of personal information. 


| Administration of Programs / Activity and Services LI 2 


Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility 
for programs including authentication for accessing programs/services, administering program payments, 
overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc...). 


- Compliance / Regulatory investigations and enforcement | 13 


Personal information is used for purposes of detecting fraud or investigating possible abuses within 
programs where the consequences are administrative in nature (i.e., a fine, discontinuation of benefits, audit 
of personal income tax file or deportation in cases where national security and/or criminal enforcement is 
not an issue). 


- Criminal investigation and enforcement / National Security Dx] 4 


Personal information is used for investigations and enforcement in a criminal context (i.e. decisions may lead 
to criminal charges/sanctions or deportation for reasons of national security or criminal enforcement). 


: Details: Some personal information collected thr 
used in support of an investigation into criminal act 
member of the public or an employee. 


video monitoring and recording activities may be 
i matter pertaining to national security involving a 


| Video recordings (including audio and/or audio-video in interview rooms) may be disclosed to internal 

| stakeholders, such as CBSA Investigations, Inland Enforcement, and external stakeholders, such as the Royal 

| Canadian Mounted Police (RCMP) and the Canadian Security Intelligence Service (CSIS), and local and municipal 
| law enforcement agencies for the purposes of criminal or national security investigations. Video recordings 

| may be used as evidence in criminal proceedings against an individual whose information appears in the 

. recording. 


Priv 


al information collected through overt video monitoring and recording activities (inc 

audio-video in interview rooms) may be used in support of an investigation regarding national se 
val activity involving a member of the public or an employee. As a result, recordings may be 
| stakeholders, such as CBSA Investigations and Inland Enforcement, and external stakehol 


_as the RCMP or CSIS, for the purposes of criminal investigation or national security. Recordings may also be 
| used as evidence in criminal proceedings against an individual whose information appears in the recording. 


Mitigation: 
Recordings will not be disclosed for any purpose that is not consistent with the purpose for which the 
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_ information contained in the recordings was collected or if it is not authorized under section 107 of the 

| Customs Act when the personal information is "customs information," or with subsection 8(2) of the Privacy 

| Act when the personal information is not considered to be "customs information." In some cases video 

| recordings owned by the CBSA may be disclosed to private sector organizations such as Airport or Bridge 
| Authorities, wren agreements are in place to support lawful information sharing, and only when such sharing is | 
| ude audio and/or audio-video in interview rooms). | 


Type of Personal Information Involved and Context Level of Risk 


Only personal information, with no contextual sensitivities, collected directly from the L| 1 
| individual or provided with the consent of the individual for disclosure under an authorized 
| program. 


Personal information, with no contextual sensitivities after the time of collection, provided by L| 2 
the individual with consent to also use personal information held by another source. 


Social Insurance Number, medical, financial or other sensitive personal information and/or the | 13 
. context surrounding the personal information is sensitive. Personal information of minors or 
incompetent individuals or involving a representative acting on behalf of the individual. 


: Sensitive personal information, including detailed profiles, allegations or suspicions, bodily Dx] 4 
samples and/or the context surrounding the personal information is particularly sensitive. 


Details: 


| The CBSA collects a wide variety of personal info der to carry out its mandate. In order to 

| determine the admissibility of travellers and/or the the CBSA may collect such detailed personal 

| information as occupation, annual salary, sexual orient , marital status, criminal history, and past drug use. 
| This information may also be captured in video recordings including audio and/or audio-video in interview 


rooms). 


| Privacy risk: 

| The CBSA collects a wide variety of personal information through its activities. Video recordings (including 

| audio and/or audio-video in interview rooms) may contain detailed personal information such as occupation, 
annual salary, sexual orientation, criminal history, and past drug use. 


| Mitigation: 
_ The CBSA will collect only the personal information necessary to effectively carry out its mandate. 


some video recordings may be considered to be Protected A (for instance, video recordi ng 

as the baggage hall where personal information is minimally captured and no audio is cap 
rdings are Protected B (such as interviews at the Primary Inspection Line (PIL | 

dary area) as the information contained in them concerns multiple persons, and « | 

| information à iS s generally of a detailed personal nature. As such, all recordings, regardless of storage medium, 

| must be stored either in a locked cabinet (or container or a safe) or in a secure room designed in accordance 

with specifications approved by the Infrastructure and Information Security Division of CBSA. 


All retention and disposal of video recordings will be carried out in accordance with the relevant provisions of 
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| the AV Policy. Disclosure to third parties will be made by the Region or District where the footage is captured. 
Such disclosure will be made in accordance with section 107 of the Customs Act and section 8 of the Privacy 
Act. 


The retention period for recordings having no enduring value to the Agency will be 30 days. For all recordings 
| of events requiring Iren action on the part of the CBSA or that may be pu ne court, the CBSA has 


re ordina w will also become subject to the minimum two-year retention eee 


ding i is only conducted i in the context of interviews, where an "administrative E: 


The AV Policy: 


e All disclosure of audio-video records must be made in accordance with the provisions of the Customs Act, 
the Access to Information Act, the Privacy Act and/or CBSA disclosure policy. 


e When an audio-video record is disclosed in response to an ATIP request from an individual whose 
information is contained in the record, the identity and other personal information of other individuals in 
the audio-video record who are not implicated in the request will be protected. If the personal 
information of a third party cannot be prote onsent has not been provided for its disclosure, 
the audio-video record will not be disclosed. 


Details: Audio-video recordings may be disclosed to other government departments and / or law enforcement 
| agencies to further investigations related to criminal activity and / or national security. 


ations and with Airport or Bridge or other competent aut 


e All disclosure of audio- video records must be made in accordance with the provisions of the Customs Act, 
the Access to Information Act, the Privacy Act and/or CBSA disclosure policy. 


e In addition, the Directives on the Overt Use of Audio-Video Monitoring and Recording Technology state 
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e Any access to or disclosure of audio-video recordings must be noted in an audio-video monitoring log. 
The log entry must include the date and time when the data was accessed, which segment of the data 
was viewed, Dy whom and for what reason. Persons who access recordings: must identity themselves by 


io-video recordings are copied or extracted in order to be disclosed within the C 
departments or law enforcement organizations, the CD, DVD or storage de 
storage according to the security classification of the informati 
video recording. Generally, audio-video recordings are to be classified Protected B. 


e Audio-video recordings, including records to be disclosed to other law enforcement agencies and 
government bodies, may only be disclosed as authorized by the Privacy Act, s. 8, Customs Act, s. 107, and 
CBSA disclosure policy. 


e Only the segment of the audio-video recording related to the request will be provided. Any unrelated 
data will be blacked-out, blurred, or obscured by technique certified as tamper-proof by a credible 
certification body. 


e When audio-video recordings are disclosed 
accordance with the principles concernin. 
entirety. Such disclosure must be noted i 
disclosure. 


:gal proceedings, copies shall be made in 
f evidence and shall be the record in its 
monitoring log, including the authority for 


d access to view and/or copy audio-video 

recordings, the information regarding this ac be entered in the audio-video monitoring log. The © 
log entry must include which segment of the d S been listened to and/or viewed, by whom, for what | 
reason and indicate whether the other law enforcement agency was provided with a copy of the 


e When other law enforcement organizatio 


ES TELE 
Duration of the Program or Activity Level of risk 
One time program or activity | ]1 
: Typically involves offering a one-time support measure in the form of a grant payment as a social support | 
mechanism. 
Short-term program [ ]2 


A program or an activity that supports a short-term goal with an established "sunset" date. 


Long-term program 


Existing program Dust has been modified or is established with no clear "sunset". 


- The CBSA uses overt video monitoring and recording technology as an integral part of its operations and - 
security framework. The use of overt video monitoring and recording technology increases the CBSA's ability to : 
deliver its mandate and protect the public, its employees and its assets. : 
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| The CBSA collects personal information through video monitoring and activities. These activities will not cease 
„at any time in the future. 

| Other risks include varving retention periods and capabilities among different technologies within the 

| institution. 
Mitigation: 


ersonal information for the minimum amount of time nece: 
Agency or will not be required as evidence of an event that will nece 
CBSA or for court purposes. 


le ue rights of individuals with the needs of the CBSA to ensure t 


to the, gency will be 30 days. For all recordings of events requiring further action on n the part of the CBSA or 
that may be required for court, the CBSA has established a minimum two-year retention period in accordance 
with paragraph 4(1)(a) of the Privacy Regulations. In addition, if an ATIP request or formal complaint is 
received within 30 days of the creation of a recording, that recording will also become subject to the minimum 
two-year retention period. 


- Since audio recording is only conducted in the context of interviews, where an “administrative purpose” has 
already been established, the retention period will always be two (2) years following the date of last use. 


It is CBSA's goal to standardize national CCTV techn 
mandate. 


it will meet CBSA business needs in the delivery its 


Program Population 


The program affects certain employees for internal administrative purposes. |] 1 

- LM D A de TUI ERR MEE c "NE 
? a a | hax | 
und M RE — 


Details: 


Some information collected will be disclosed within the CBSA and to other federal institutions and law 
| enforcement agencies for the purpose of pursing a criminal investigation. These investigations may lead to 
| prosecution. 


Privacy Risk: 


audio and/or audio-video in interview rooms) of interact 
iovernment departments and law enforcement agencies for the purpo: 
for the purposes of criminal prosecution. 


The CBSA will ens t any disclosure of video recordings is made in accordance with the relevant policies 
and legislation. In addition, the CBSA will take steps to ensure that recordings are not disclosed by third parties 
without the consent of the CBSA. In some cases recordings (does not include audio and/or audio-video in 

: interview rooms) owned by the CBSA may be disclosed to private sector organizations such as airport or bridge 
| authorities, when agreements are in place to support lawful information sharing, and only when such sharing is 
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: necessary. The CBSA will also endeavour to enter into MOUs with airport and bridge authorities that own and. | 
operate CCTV equipment within CBSA areas in order to regularize the disclosure and sharing of authority owned. 
information shared with the CBSA. 


: 6.1 Does the new or modified program or activity involve the implementation of a new electronic — Xx] YES 

- system, software or application program including collaborative software (or groupware) that C] NO 
is implemented to support the program or activity in terms of the creation, collection or - 
handling of personal information? 


6.2. Does the new or modified program or activity require any modifications to IT legacy systems |] YES 
- and / or services? [X] NO 


6.3 Does the new or modified program or activity involve the implementation of one or more of 
| the following technologies: 


6.3.1 Enhanced identification methods: LJ Yes 
This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint - Dx] NO 
analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, | 
new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that 
are embedded with either an antenna or a contact pad that is connected to a microprocessor and a | 
memory chip or only a memory chip with non-programmable logic). - 


Please specify: 


632 "User Surveillance  Dqvts 
This includes surveillance technologies such as audio/video recording devices, thermal imaging, | [| NO 
recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring | 
including audit trails, satellite surveillance etc. 


Please specify: 


| . The CBSA uses overt video monitoring and recording technologies to monitor and 

| record CBSA operations at ports of entry and inland offices. Areas and activities that _ 
- may be monitored or recorded include, but are not limited to: primary inspection line | 
: (PIL) interviews, secondary examinations, interactions at CBSA information counters, - 
- cashier counters, commercial counters, detention cells, and interview rooms. 


All persons present in these areas will be subject to monitoring and/or recording. 


The CBSA captures limited audio information in interview rooms, which are 
conducted in the enforcement of the Customs Act, the Immigration Refugee 
Protection Act (IRPA) and other CBSA program legislation, which may be recorded by 
audio-only or by video in combination with audio. 


6.3.3 Use of automated personal information analysis, personal information he me | | YES 
knowledge discovery techniques: Dx] NO 


For the purposes of the Directive on PIA, government institutions are to identify those activities 
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that involve the use of automated technology to analyze, create, compare, cull, identify or extract 
personal information elements. Such activities would include personal information matching, 
record linkage, personal information mining, personal information comparison, knowledge 
discovery, information filtering or analysis. Such activities involve some form of artificial 
intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to 
predict behaviour. 


Please specify: 


A YES response to any of the above indicates the potential for privacy concerns and risks that will need to be 
considered and if necessary mitigated. 


6.1 Implementation of new cameras 


| Privacy Risk: 
The CBSA has implemented cameras that have the capability to capture audio recordings of any and all 
| individuals found in an area where overt video recording takes place. 


Mitigation: 


| All audio capabilities of these cameras have been disabled, de-activated or removed outside of interview rooms 
where it is only activated following full disclosure of the intent to record and individuals are read a legal caution - 
concerning any statements made (and if necessary, a secondary caution) informing clients of their right to 
: silence and right against self-crimination. 


Caution: "You need not say anything. You have nothing to hope from any promise or favour, or nothing to fear 
from any threat, whether or not you do say anything. Anything you do say may be used in evidence. Do you 
understand?" 


Secondary Caution: "If you have spoken to any police officer or to anyone with authority, or if any such person 
| has spoken to you in connection with this case, | want it clearly understood that | do not want it to influence 
| you in making any statement. Do you understand?” 


: The CBSA recognizes and understands that audio capacity de-activated may be accidently switched on; however : 
| the CBSA believes that permanently disabling this capacity would be premature until the CBSA researches and 
investigates the need for audio capture in other areas outside of interview rooms. Until then, the CBSA will 
follow direction from the Minister's Office, in which the use of has 

| been accepted as a satisfactory method of de-activating audio. The CBSA also recognizes that permanently | 
| disabling the audio capacity may void any warranty on existing equipment and as a result, put more pressure on 
_ funding for CCTV technology. - 


Audio information which is inadvertently captured in a manner inconsistent with the AV policy cannot be used 
: by the CBSA and must be destroyed. Details of this incident must be sent to Programs Branch via the AV Policy 
_ Inbox: CBSA-ASFC AV Policy-Politique AV 


6.3.2 Use of Surveillance 


| Privacy Risk: 
| The CBSA will capture video recordings of any and all individuals found in an area where overt video recording 
takes place. 
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. Mitigation: 
| Any recording that is of no enduring value to the Agency, or that does not contain an event that is likely to 

| require further action on the part of the CBSA or that can reasonably be expected to go to court will be 

| disposed of following a minimum retention period of 30 days. Equipment currently in use unable to meet this 
minimum requirement is exempt, however any new or replacement CCTV equipment purchased must be 

| ata for this minimum retention period. Recordings that are used b 
or a minimum of two years following the date of its last use. _ 


n retention period of 30 days is intended to balance the needs of the CBSA with the pri 
| individuals whose information is contained in the recordings. The AV Policy pro 
isposed of following the minimum 30-day retention period mus 
15 days of the expiration of that period. 


This minimum retention period of two years is in accordance to section 4.1 of the Privacy Regulations. 


: Event — means any occurrence that may reasonably be expected to require further action by the CBSA or that 

: may reasonably be expected to go to court and that justifies reviewing audio-video data. An event may include, 
without being restricted to, the following: arrest of a traveller, national security incidents, assault on or 

: hindering an officer, altercations between members of the public, use of force incidents, discharge of a duty 
firearm, vehicle searches resulting in enforcement ac on, verbal complaints, port runners, medical emergencies 
and environmental catastrophe. | | 


Since audio recording is only conducted in the « 
already been established, the retention period 


. The personal information is used within a closed system. [ ]1 
No connections to Internet, Intranet or any other system. Circulation of hardcopy documents is controlled. | 

The personal information is used in system that has connections to at least one other system m 
-The personal information is transferred to a portable device or is printed. | ]3 


USB key, diskette, laptop computer, any transfer of the personal information to a different medium. 


| Details: Recordings may be transferred from their original recording medium to USB keys, DVDs, etc for storage 
or for disclosure. Some data may be transmitted wirelessly from the camera to the recording edium, such as 


al information being transmitted on a wireless network may be compromised. Wireles 
situations where a physically wired connection is impossible due to di 
remote areas in the Yukon or frozen tundra locations in the Arti 


Mitigation: 

The CBSA will ensure that all wireless transmission of data is secure using appropriate technologies. Any 
transmission of recordings over wireless networks must be done in accordance with the CBSA's Policy on the : 
Use of Wireless Technologies. Wireless transmission of data not in compliance with these protocols must cease - 
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immediately and the wireless transmission can only resume when authorized by local IT and an official of the 

| Physical Security Section of the Security and Professional Standards Directorate. A Threat Risk Assessment 

_ (TRA) of CBSA's audio-video technologies was completed in September 2013 and a summary of this assessment 
_is attached. 


t to the Institution 


. Managerial harm. 


Processes must be reviewed, tools must be changed, change in provider / partner. 


Organizational harm. : B 


Changes to the organizational structure, changes to the organizations decision-making structure, changes to 
the distribution of responsibilities and accountabilities, changes to the program activity architecture, 
departure of employees, reallocation of HR resources. 


| Financial harm. | RE 


Lawsuit, additional moneys required reallocation of financial resources. 


: Reputation harm, embarrassment, loss of credibility. | Dx] 4 


Decreased confidence by the public, elected officials under the spotlight, institution strategic outcome 
compromised, government priority compromised, impact on the Government of Canada Outcome areas. 


| Details: If the recordings are compromised or otherwise released without authority to do so, there is the risk 
that the information may harm the reputation of the . As the records contain not only the personal 

| information of travellers and the public, but also sei ecord of how the CBSA does business, inadvertent 

| release of information could cause the public to h sed confidence in the ability of the CBSA to protect 
_ the border. 


Privacy Risk: 
Should recordings be inadvertently or inappropriately 
reputation or embarrassment due to the sensitivities 
by the CBSA. 


ed, an individual may suffer harm to his/her 
unding the type of information that can be collected 


| Mitigation: 

| The CBSA will take steps as recommended in the accompanying Threat Risk Assessment Summary to ensure 
that disclosure of recordings is only made in accordance with the relevant legislation as indicated above. Only 
| those employees who require access to recordings as part of their official duties and who have a need to view 
them will be permitted to access them. Such permission will be granted in writing and all access to recordings 
| will be monitored by way of access logs. — See Appendices for Privacy Breach Protocol 


Details: The inadvertent disclosure of such information without authorization or to an improper party may lead 
to financial harm, but it is more likely that should the information be compromised it would lead to harm to 
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reputation and/or embarrassment. For example, details surrounding an individual's travel including travel 
| companions and their relationship, contents of baggage/vehicle, and responses to questions regarding such 
topics as criminal history and past drug use may be contained in recordings. 


Privacy Risk: 
: Should recordings be inadvertently or inappropriately released, there is a risk that individuals whose 
ose recordings could sue the CBSA given the sensi 

ed and the potential impact the release could have on thos 


take steps to ensure that disclosure of recordings is only mad 
cated a above. : nb those employees with a minimum SECRET security cle 


c to access them. Such permission will ll be granted in writing and all access to o recordings v will ll be monitored. ib way - 
- of access logs. | 
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SECTION 3 - ANALYSIS OF PERSONAL INFORMATION ELEMENTS 


Personal Information Elements and Sub-elements 


Note: Identification of sub-elements is necessary where sensitive personal information is being collected or where the type of program or activity presents a potential privacy risk at 
level 2-3-4 in "Section II - Risk Identification and Categorization” of the PIA. 


Category Of | Personal Information | Personal Information - - Purpose / Necessity 
- : |. Format | 

. Personal Information —^ & — — clément tlt. CO eee o 
. Gender, physical _ Physical image of At PIL: Visual To identify clients. 
attributes _ traveller or other i — ; ae _ Image . To make admissibility decisions regarding the entry of 
; . : e : z : 

member of the public - incuees a person s race, National or Recording — persons and goods to Canada. 

. when video is ! ethnic origin, religion, or colour; : - 


| To ensure the integrity of the border. 


| captured. e caninclude information related to 


travelling companions, including 
indicators of marital status; 


: To ensure the security and health and safety of CBSA 
| employees and members of the public. 
| | To ensure the integrity and quality assurance of CBSA 
e caninclude information related to a : | programs. 

person's employment : - 


e at a land border, can also include an 
image of the vehicle that a person is 
travelling in, including the license 
plate; 


: At secondary inspection: 


e includes a person's race, national or 
ethnic origin, religion, or colour; 


e can include information related to 
travelling companions, including 
indicators of marital status; 


e can include indicators of employment . 
history and of financial transactions, 
including information on personal 
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belongings that may provide 
information on the person’s 
economic status; 


can include evidence of wrongdoing, 
such as assault, hindering and officer, 
or smuggling. 


At inland CBSA offices: 


e includes a person's race, national or 


ethnic origin, or colour; 


can include information related to a 
person's employment (e.g. at a 
commercial counter, it may be 
identifiable that a person works for a 
particular trucking company) 


Citizenship status, 2 Physical image of a 
gender, physical _ traveller with video 
attributes | recording of primary 


| interview or secondary 
| examination at an 
| airport. 


| At PIL, video recordings can include: 


e a person's race, national or ethnic 


origin, religion, or colour; 


information related to travelling 
companions, including indicators of 
marital status; 


| At secondary inspection, video recordings 
. can include: 


e aperson's race, national or ethnic 


origin, religion, or colour; 


information related to travelling 
companions, including indicators of 
marital status; 


information on personal belongings 
that may provide information on the 
person's economic status; 


Visual 
Image 
. Recording 


| To identify clients. 
| To ensure the integrity of the border. 


| To ensure the security and health and safety of CBSA 
employees and members of the public. 


| To ensure the integrity and quality assurance of CBSA 
| programs. 
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e evidence of wrongdoing, such as 
assault, hindering an officer, or 


smuggling; 
Citizenship status, . Physical image of a - In addition to the personal information Visual - To identify clients. 
gender, physical traveller with video | indicated above that is captured at an Image . To ensure the integrity of the border. 
attributes di f pri ET ; R di : 
: eee 7 ML | alr port at a land border, the following | ESPUMA . To ensure the security and health and safety of CBSA 
| sid y : information may also be captured in video | employees and members of the public. 
| examination at a land | recordings: : 
' border. : : . To ensure the integrity and quality assurance of CBSA 
| At PIL: | | programs. 


e animage of the vehicle, including an 
image of the license plate; 


e atraveller's citizenship; 
| At secondary inspection: 


e images of the interior of a vehicle, | 
including the personal belongings of a : 
traveller, which may provide : 
indicators of economic status; 


| Adjacent to the port of entry: 


e Cameras may capture images of 
surrounding areas, which may include 
images of vehicles, including images | 
of license plates, of vehicles travelling 
in the area adjacent to the port of 


entry. 
Gender, physical Physical image of a | | e Wideercandmeliider person's race; | Visual To identify clients. 
attributes member of the public national or ethnic origin, religion, or |Mage . To ensure the integrity of the border. 
_ with video recording of ; . Recording - | 
È colour; - : . To ensure the security and health and safety of CBSA 
| transaction between - - | | d b fth bli 
| that person and the | + Video can include information related - - FPE SR die MEME RER PEN 
` CBSA at an inland : to a person’s employment (e.g. ata  — . To ensure the integrity and quality assurance of CBSA 
| service point or : commercial counter, it may be : _ programs. 
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identifiable that a person works for a 
particular trucking company) 


Gender, physical 
| attributes, 


_ Physical image of a 
| person under arrest or 


. detention who has 

| been placed in a CBSA 
. detention cell at a port 
| of entry. 


- The primary purpose for these cameras is 
- to ensure the health and safety of persons 
| held in the cells and CBSA employees. 

| Persons may be held for up to 24 hours. 


The video may capture: 


e aperson's race, national or ethnic 
origin, religion, or colour; 


e thefactthat a person is held in a cell, 
which means that the person is 
suspected of having committed, or 
has been arrested for, a 


contravention of the Customs Act, the : 


Criminal Code, or any other Act of 
Parliament. 


Visual 
| Image 
. Recording 


: To identify clients. 
- To ensure the integrity of the border. 


To ensure the security and health and safety of CBSA 
- employees and members of the public. 


: To ensure the integrity and quality assurance of CBSA 
| programs. 


. Name, date of birth, 
citizenship as well as 

. details concerning personal 
| life, employment history, 

- criminal history, family life, 
. financial status, personal 

- affiliations, etc. 


. Voluntary statements 

- made in interview rooms 

_ by persons who are under 
investigation, detention or 
- arrest. 


- The primary purpose of audio capture in 
| interview rooms is to provide evidence 

- regarding offences relating to the acts and | 
regulations that the CBSA governs at POEs 


Audio or 
 audio- 

_ video 

. recordings 


The CBSA captures limited audio information in the 

| execution of its mandate under the Canada Border 

| Services Agency Act. Specifically, interviews, which are 
| conducted in the enforcement of the Customs Act, the 
Immigration Refugee Protection Act (IRPA) and other 

| CBSA program legislation, may be recorded by audio- 

| only or by video in combination with audio. 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act. 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Overt Use of Video Monitoring and Recording Technology : PIA 


SECTION 4 - FLOW OF PERSONAL INFORMATION 


Identify the flow of the personal information within and outside the institution’s program or activity. 
Institutions may choose to outline the flow of personal information in the format of their choice. 


4.1 Video Data Flow Model - Diagram 
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Video data is 
captured — the 
physical image of 


the individual is 
captured. 


Video data is 
stored 


Relevant data is 
copied and / or 

transferred onto 
storage medium 


Video is reviewed to 
identify relevant 
information. 


Data is disclosed in 
accordance with 
relevant legislation. 


Data is used to 
support 
administrative, civil 
or legal action 
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Video Data Flow Explanatory Notes 


1. Video data is captured by means of cameras that are plainly and clearly announced and/or 
are visible in their placement or use. Signs informing travellers and/or employees that an 
area is under surveillance have been posted. Cameras may be located in any areas where 
the CBSA processes persons and goods, or secure areas such as server, arming or currency 
counting rooms. 


Video data is captured for the following purposes: 

(a) To carry out the mandate of the CBSA. 

(i) To detect and identify persons who fail to present themselves and their goods in 
accordance with sections 11 and/or 12 of the Customs Act and/or section 18 of the 
Immigration and Refugee Protection Act ; 

(ii) To detect or deter persons who may pose a risk to the health and safety of CBSA 
employees and members of the public; 

(iii) To gather information regarding unlawful activity related to any of the legislation 
enforced by the CBSA e.g. evidence that goods have been unlawfully removed 
from CBSA control; 

(b) For the security and protection of CBSA infrastructure including buildings, assets and 
equipment: 

(c) For the security and protection or the health and safety of CBSA employees and/or 
members of the public working in or having access to CBSA owned or operated facilities 
including ports of entry or any other CBSA office. 

(d) For purposes related to the integrity and quality assurance of CBSA programs. 


2. All video recordings are securely stored as per CBSA policies on the storage of protected 
information when they are not in use. (Refer to Appendix: Comptrollership Manual — 
Security Volume — Chapter 6: Storage of Sensitive Information and Assets). 


Access to and control of any equipment used for recording purposes is limited to qualified 
operators who are authorized to do so by the manager responsible for the facility in which 
the equipment is located. Authorization is provided in writing and specifies the purposes for 
which access and or control is given. 


3. Event- means any occurrence that is likely to require further action by the CBSA or that 
may reasonably be expected to go to court and that justifies reviewing video data. An event 
may include, without being restricted to, the following: arrest of a traveller, national security 
incidents, assault on or hindering an officer, altercations between members of the public, 
use of force incidents, discharge of a duty firearm, vehicle searches resulting in enforcement 
action, verbal complaints, port runners, medical emergencies and environmental 
catastrophe. 


ATIP Request — A request for information made under the access to information and privacy 
legislation. 


Formal Complaint — A formal complaint includes but is not limited to, a written complaint 
regarding officer conduct or service received. 
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4. Transitory Record — as defined by Library and Archives Canada and for the purposes of this 
program are those video records that have no enduring value to the Agency. They are 
records that are required only for a limited time to ensure the completion of a routine 
action or the preparation of a subsequent record but do not include records that are 
required to control, support or document the delivery of programs, to carry out operations, 
to make decisions, or to account for activities of government. (Source: MIDA 2.1, 4. 
Definition) 


Recordings that are considered to be transitory records will not be disclosed outside or 
within the CBSA and will be deleted/disposed of following the expiration of the minimum 
30-day retention period for transitory records. 


Operational Record — records that are required to control, support or document the 
delivery of programs, to carry out operations, to make decisions, or to account for activities 
of government. 


A grandfather clause has been written into the policy to ensure that any equipment that is 
already in use that is not capable of storing data for 30 days remains compliant with 
requirements. The minimum retention period for such equipment becomes the period for 
which the equipment is capable of storing data (e.g. if the equipment can only store data for 
7 days, then the minimum retention period is 7 days). The grandfather clause expires when 
the equipment is replaced or upgraded. 


All recordings and copies will be retained in accordance with the relevant CBSA security 
policy (Comptrollership Manual — Security Volume — Chapter 6: Storage of Sensitive 
Information and Assets). 


5. If an event is identified or if an ATIP request or formal complaint is received, recordings 
must be reviewed to identify the applicable footage. 


6. If the footage is reviewed to verify an event and a determination is made that no event 
occurred and no further action will be necessary in relation to the recording, the recording 
can be considered to be a transitory record. 


7. The recording will not be disclosed outside the CBSA and will be deleted/disposed of upon 
the expiration of the minimum retention period of 30 days for transitory records. 


8. If the footage is reviewed and it is determined that it contains an event, or if an ATIP request 
or formal complaint is received within 30 days of the creation of the recording, the footage 
will need to be copied to another storage location on the server, or to another storage 
medium such as a USB key or DVD (Information considered Protected C shall be encrypted) 
and will be retained for a minimum of two years in accordance with subsection 4(1) of the 
Privacy Regulations. All recordings and copies will be retained in accordance with the 
relevant CBSA security policy (Comptrollership Manual — Security Volume — Chapter 6: 
Storage of Sensitive Information and Assets). 
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9. The purpose for which the footage is being retained must be identified. If data will be 
disclosed outside the CBSA follow data flow #10. If data will not be disclosed outside the 
CBSA follow data flow #12. 


10. If the recording is being retained in relation to an ATIP request, a formal complaint or if the 
event is related to a criminal offence that will be investigated by another law enforcement 
agency, the information may be disclosed outside of the CBSA. Any disclosure of video 
recordings will be made in accordance with all relevant legislation and policy, including the 
AV Policy. 


11. The recording will be deleted/disposed of two years from the date that the last 
administrative action is taken with respect to it. Disposal of video recordings will be done in 
accordance with the policy found in the CBSA Comptrollership Manual — Security Volume, 
Chapter 8: Disposal of Sensitive Information and Assets. 


12. If the event contained in the recording is related to an event concerning only the CBSA (i.e. 
CBSA employees only and should not be relevant to third parties), the information will not 
be disclosed outside of the Agency. 


13. The recording will be deleted/disposed of two years from the date that the last 
administrative action is taken with respect to it. Disposal of video recordings will be done in 
accordance with the policy found in the CBSA Comptrollership Manual — Security Volume, 
Chapter 8: Disposal of Sensitive Information and Assets. 
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4.1a Audio and Audio-Video Data Flow Model - Diagram 


Will data be dis- 
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Audio and Audio-Video Data Flow Explanatory Notes 


1. Data is captured by means of cameras and or standalone audio capture devices that are 
plainly and clearly announced and/or are visible in their placement or use. If video is 
captured within an interview room, signs inform travellers and/or employees that an area is 
under surveillance. 


Data is captured to provide evidence regarding offences relating to the acts and regulations 
that the CBSA governs at POEs 


2. All audio and audio-video recordings are securely stored as per CBSA policies on the storage 
of protected information when they are not in use. (Refer to Appendix: Comptrollership 
Manual — Security Volume — Chapter 6: Storage of Sensitive Information and Assets). 


Access to and control of any equipment used for recording purposes is limited to qualified 
operators who are authorized to do so by the manager responsible for the facility in which 
the equipment is located. Authorization is provided in writing and specifies the purposes for 
which access and or control is given. 


3. Event- means any offences relating to the acts and regulations that the CBSA governs at 
POEs 


4. Recordings must be reviewed to identify the applicable footage. 


5. Ifthe footage is reviewed to verify an event and a determination is made that no event 
occurred and no further action will be necessary in relation to the recording, the recording 
can be considered to be a transitory record. 


6. The footage will need to be copied to another storage location on the server, or to another 
storage medium such as a USB key or DVD (Information considered Protected C shall be 
encrypted) and will be retained for a minimum of two years in accordance with subsection 
4(1) of the Privacy Regulations. All recordings and copies will be retained in accordance 
with the relevant CBSA security policy (Comptrollership Manual — Security Volume — Chapter 
6: Storage of Sensitive Information and Assets). 


7. The purpose for which the footage is being retained must be identified. 


8. If the recording is being retained in relation to a criminal offence that will be investigated by 
another law enforcement agency, the information may be disclosed outside of the CBSA. 
Any disclosure of video recordings will be made in accordance with all relevant legislation 
and policy, including the AV Policy. 


9. Therecording will be deleted/disposed of two years from the date that the last 
administrative action is taken with respect to it. Disposal of video recordings will be done in 
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accordance with the policy found in the CBSA Comptrollership Manual — Security Volume, 


Chapter 8: Disposal of Sensitive Information and Assets 


10. If the event contained in the recording is related to an event concerning only the CBSA (i.e. 
CBSA employees only and should not be relevant to third parties), the information will not 
be disclosed outside of the Agency 


11. The recording will be deleted/disposed of two years from the date that the last 
administrative action is taken with respect to it. Disposal of video recordings will be done in 
accordance with the policy found in the CBSA Comptrollership Manual — Security Volume, 


Chapter 8: Disposal of Sensitive Information and Assets 


4.2 Example of a Data Flow Model - Table 
Source of the personal information for the program or activity 


From whom or from what organization is the personal information collected. In other words, 
identify who is providing the personal information that is being used, will be used or available for 
use for the program or activity. There may be more than one source, indicate all sources: 


SOURCE | IDENTIFY THE SOURCE 

o ES 
A federal government institution (identify from ——— INA 
: what PIB the information is obtained) : 

[Nomfederalinstitutions OS 
mE - Provincial Government NA 
EE - Municipal Government NA 
EE - AboriginalGovernment/Council MA 
m— C TE Ms M meten: 
— TR | 
" mE POM Cee A n E 
M | Lata Takada ME | 


| the CBSA but installed in operational areas, airport or 
| bridge authorities sometimes share video recordings 
| with the CBSA. These locations are as follows: 


Windsor Tunnel 
Ambassador Bridge 
Bluewater Bridge 
Niagara-Whirlpool Bridge 


Fort Erie- Peace Bridge 


(Applicable to video only records obtained from the 
| authority, and not applicable to audio and/or audio- 
| video records obtained in interviews by the CBSA) 
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- Located in Canada and Foreign Owned N/A 
- Located abroad and Canadian Owned N/A 
- Located abroad and Foreign Owned N/A 


4.3 Internal Use and Disclosure 


Where will that information circulate within the federal government institution? This must identify 
any related programs or activities and personal information banks as identified in the institution's 
Info Source chapter. 


Program | Personal information bank 
Ports ofentry 0000000000000 Oe MN. 
Investigations — 0 Rt l —— 
Intelligence eee EE 
——— CBSA PPU 020, CBSA PPU 026, 


. CBSA PPE 813, CBSA PPU 039 
| | (Not applicable to records obtained from 
| Personnel Security and Professional Standards | interviews) 


4.4 External Use and Disclosure 


Where will that information circulate outside of the federal government institution? This includes any 
disclosure made to: 


| The individual or a representative - An individual or his/her representative may make an 
: - ATIP request with respect to his/her information. 


| A federal government institution | Records may be disclosed to other federal government 
institutions for the purpose of enforcing federal 
_ legislation. 


- Provincial Government - Records may be disclosed to provincial law enforcement | 
| agencies for the purpose of enforcing federal : 
_ legislation. 


- Municipal Government - Records may be disclosed to municipal law enforcement - 
| agencies for the purpose of enforcing federal 
_ legislation. 


- Organization of a Foreign State _ Customs Act 107(8) - This provision permits the CBSA to 
_ provide customs information to a foreign official of any 
: of the entities listed in subsection 107(8) as long as it is 
| in accordance with an international convention, 
: agreement or other written arrangement between the 
| Government of Canada or an institution of the 
. Government of Canada and the government of the 
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- Located in Canada and Canadian Owned 


- Located in Canada and Foreign Owned 


4.5 Retention / Storage 


| foreign state, the organization, the community or the 

| institution, solely for the purposes set out in that 

| arrangement. The written collaborative arrangement 

_ could be an information sharing Memorandum of 

| Understanding, a Customs Mutual Assistance 

| Agreement, or other related instrument (See Section 5, 
- 10.1.4 for list of countries) 


| e.g. Canada has a Customs Mutual Assistance 

_ Agreement (CMAA) with the United Kingdom of Great 
- Britain and Northern Ireland. The CMAA allows for the 
- exchange of customs information, intelligence, and 
documents that assists each country in the prevention 
- and investigation of customs offenses. 


- Recordings may be disclosed to private sector 

: organizations such as Airport or Bridge Authorities 

: when incidents involving employees of such Authorities 

| or traffic accidents or other incidents for which the 

: Authority may require footage. Such disclosures will 
_ only be made in accordance with the relevant legislative - 
- provisions and within the bounds of a clearly articulated | 
: Memorandum of Understanding. (Applicable to video — 
- only records, and not applicable to audio and/or audio- 

_ video records obtained in interviews) 


| Recordings may be disclosed to private sector 

| organizations such as Airport or Bridge Authorities 

- when incidents involving employees of such Authorities 

_ or traffic accidents or other incidents for which the 

| Authority may require footage. Such disclosures will 
_ only be made in accordance with the relevant legislative - 
: provisions and within the bounds of a clearly articulated | 
| Memorandum of Understanding. (Applicable to video | 
- only records, and not applicable to audio and/or audio- 


Where will the information be stored or retained (identify all organizations that will store the 
information — this includes duplicates of the databases containing the personal information or any 


back-ups): 


- Recordings will be stored at the location where they are : 
_ made. The recordings will be housed on secure servers _ 


e 
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1. Provincial Government 


< and in secure storage with access controls. 


- In all cases where storage devices are used, they will be 
| required to meet baseline physical security 

| requirements based on the level of sensitivity of 

| information gathered as per CBSA Security Volumes, 

_ depending on the recording medium. 


- A copy of recordings disclosed to other federal 
government institutions, including federal law 
enforcement agencies, will be housed within those 

| institutions or law enforcement agencies according to 
| their requirements. 


- A copy of recordings disclosed to provincial law 
: enforcement agencies will be housed within those 
. agencies according to their requirements. 


: British Colombia Freedom of Information and Protection © 
- of Privacy Act: 
- 30.1 A public body must ensure that personal 

_ information in its custody or under its control is stored 

- only in Canada and accessed only in Canada, unless one 

_ of the following applies: 


: (a) if the individual the information is about has 

| identified the information and has consented, in the 
: prescribed manner, to it being stored in or accessed 
- from, as applicable, another jurisdiction; 


- (b) if itis stored in or accessed from another jurisdiction : 
| for the purpose of disclosure allowed under this Act; : 


- (c) if it was disclosed under section 33.1 (1) (i.1). 


: Nova Scotia's Personal Information International 
_ Disclosure Protection Act: 


| 5 (1) A public body shall ensure that personal 

- information in its custody or under its control and a 

| service provider or associate of a service provider shall - 
| ensure that personal information in its custody or under | 
| its control is stored only in Canada and accessed only in. 
Canada, unless 


- (a) where the individual the information is about has 

_ identified the information and has consented, in the - 
| manner prescribed by the regulations, to it being stored - 
- in or accessed from, as the case may be, outside - 
Canada; 


| (b) where it is stored in or accessed from outside | 
Canada for the purpose of disclosure allowed under this : 
: Act; or : 


e 
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: access outside Canada pursuant to subsection (2). 


| (2) The head of a public body may allow storage or 

| access outside Canada of personal information in its 

| custody or under its control, subject to any restrictions 

- or conditions the head considers advisable, ifthe head 
_ considers the storage or access is to meet the necessary | 
- requirements of the public body's operation. : 


- (3) Where the head of a public body makes a decision 
pursuant to subsection (2) in any year allowing storage 
- or access outside Canada, the head shall, within ninety 
days after the end of that year, report to the Minister 

- all such decisions made during that year, together with 
- the reasons therefor. 


- (4) In providing storage, access or disclosure of personal : 
: information outside Canada, a service provider shall : 
: only collect and use such personal information that is 

: necessary to fulfill its obligation as a service provider, 

- and shall at all times make reasonable security 

| arrangements to protect any personal information that 

| it collects or uses by or on behalf of a public body. 


- Quebec's public sector privacy law, An Act Respecting 
_ Access to Documents Held by Public Bodies and the 
_ Protection of Personal Information: 


- Not applicable as this applies to documents 


: A copy of recordings disclosed to municipal law 


- enforcement agencies will be housed within those 
| agencies according to their requirements. 


3. Located in Canada and Canadian Owned 


- A copy of recordings disclosed to any Airport or Bridge 
_ Authority will be housed within those Authorities 


. according to their requirements, and as per the 

| requirements of the MOU. (Applicable to video only 
| records, and not applicable to audio and/or audio-video | 
- records obtained in interviews) | 


4. Located in Canada and Foreign Owned 


- A copy of recordings disclosed to any Airport or Bridge 

_ Authority will be housed within those Authorities 

- according to their requirements, and as per the 

: requirements of the MOU. (Applicable to video only 
- records, and not applicable to audio and/or audio-video - 


ie 
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4.6 Other Possible Considerations 


| N/A 


CBSA - Released under the Access to Information Ac 
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Identify the areas, groups and individuals who access and handle the personal information: 


Identify the areas / groups / divisions who are allowed to access and handle the personal information 
collected for the program or activity. Also, identify where these areas or groups are located (i.e. national 
capital region, within a province, in a foreign country, or several locations if teleworking) as well as the 
location of the personal information to uncover any potential trans-border or inter-jurisdictional issues. 
When reasonable to do so, by virtue of the size of the organization or the number of individuals, identify 
individual positions rather than the work area or group. 


| Ports of entry 


| Investigations 


. Intelligence 


| Inland Enforcement 


| Personnel Security and Professional 
. Standards 


Canada Border Services Agency 


Positions who have access or use the personal 
information (where appropriate) 


Chiefs, Supervisors and select Border Service 
Officers have access as part of their official 
duties at certain locations (Applicable to video 
only records, and not applicable to audio 
and/or audio-video records obtained in 
interviews). . 

Chiefs, Supervisors and Investigation Officers 
have access as part of their official duties at 
certain locations (Applicable to video only 
records, and audio and/or audio-video records 
obtained in interviews). 

Chiefs, Supervisors and Intelligence Officers 
have access as part of their official duties at 
certain locations (Applicable to video only 
records, and audio and/or audio-video records 
obtained in interviews). 

Chiefs, Supervisors and Inland Enforcement 
Officers have access as part of their official 
duties at certain locations (Applicable to video 
only records, and audio and/or audio-video 
records obtained in interviews). 

Various positions (Applicable to video only 
records on a need to know basis, and not 
applicable to audio and/or audio-video records 
obtained in ne. 


Geographical Location 


. The CBSA uses CCTV 

| technology at 167 sites across 
Canada. - 
. The CBSA uses CCTV 

| technology at 167 sites across 
Canada. Handheld devices to 
| record voice only can be used 
_Investigations —n — à à  Obtainedininterviews). — _atall work locations. — 
. The CBSA uses CCTV 
technology at 167 sites across 
. Canada. Handheld devices to 
| record voice only can be used 
„Intelligence —n — — n Obtained in interviews). — —  — — 5— — — _atall work locations. — 
| . The CBSA uses CCTV 

| technology at 167 sites across 
. Canada. Handheld devices to 
record voice only can be used 
_InlandEnforcement —n h^ ^ records obtained in interviews). — —  — _atall work locations. — 
. The CBSA uses CCTV 
technology at 167 sites across 
m: Canada 
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SECTION 5 - PRIVACY COMPLIANCE ANALYSIS 


Has a legal authority been identified for the collection of personal information for this program or activity? 


Statutory reference: Section 4 of Privacy Act (Section 4 has been interpreted to mean that a legal authority 
must be established for a collection of personal information, but section 4 does not provide legal authority for 
such a collection). 

Policy reference: Section 6.2.6 of Directive on Privacy Practices 


Yes 


1.1 [X] Please specify the legal authority and briefly explain its connection to the program or activity or how 
: it permits the collection of the personal information: 


Canada Border Services Agency Act, paragraph 5(1)(a) 


If legal authority is unclear consult your Legal Service to determine authority for the program or activity. 


The CBSA's use of electronic recordings is directly related to paragraph 5(1)a of the CBSA 
Act and does not raise high risks of violating section 8 of the Charter nor section 4 of the 
Privacy Act as long as the information captured is used within set limitations. 


1.2 X AND, ensure that the legal authority to collect the personal information is cited in the relevant PIB 
and in “Section | — Overview and PIA Initiation" of the PIA. 


— Continue to Question 2 
No 


1.3 [| If there is no legal authority for the collection of personal information, it cannot be collected. Please 
| consult your institution's legal advisors to determine if there is authority to proceed with the 
program or activity. 


Is each element and sub-element of personal information collected or to be collected necessary to 
administer the program or activity? 


Statutory reference: Section 4 of Privacy Act 
Policy reference: Sections 6.1.1, 6.1.3, 6.1.4, 6.2.7 and 6.2.8 of Directive on Privacy Practices 
YES 


2.1 [x] Ensure that all personal information necessary to administer the program or activity is listed in the 
: relevant PIB. 


2.2 Dx] AND, implement controls and procedures to ensure the institution does not collect more personal 
| information than is necessary for the identified program or activity and that a continuing need exists 
for that information or its collection. 


— Continue to Question 3 


NO 


2.3 L| Review the proposed elements and sub-elements of personal information outlined in "Section 3 — 
Analysis of Personal Information Elements" to identify those that are "necessary" and not merely 
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Is the collection of the Social Insurance Number (SIN) necessary to administer the program or activity? 


Statutory reference: Section 4 of Privacy Act 


Policy reference: Section 6.2.13 of Policy on Privacy Protection and sections 6.1.1 and 6.2 to 6.4 of Directive on 
Social Insurance Number 


Also see "Guidance for Preparing Information-Sharing agreements Involving Personal Information" and "Taking | 
Privacy into Account Before making Contracting Decisions" 


YES 


3.1 | | Collection of the SIN must be in compliance with the Directive on Social Insurance Number (please 
| check all appropriate boxes below): 


| 3.2 | | State legal authority for collecting the SIN: 


3.3 | | Establish explicit authority through legislative amendment(s). 
: 3.4 [| Establish legal authority as outlined in the Directive on Social Insurance Number. 
AND, if disclosure of the SIN by the institution is to occur on a routine or systematic basis 


3.4.1 LA to another federal institution that is authorized to collect it, or to another level of government, 
establish an agreement or arrangement that includes specific provisions to limit the use of the 
SIN. 


3.4.2 | | to a contractor or other external service provider, establish a contract that includes specific 
provisions to limit the use of the SIN. 


3.5 | | AND, ensure that the relevant PIB for the program or activity states the authority under which the 
SIN is collected and the purpose for which it is used. 

—> Continue to Question 4 
NO 
: 3.6 [X] The SIN is not necessary and it will not be collected, used or disclosed to administer the program or 
: activity. 


— Continue to Question 4 


Is personal information collected directly from the individual to whom it relates? 


Statutory reference: Sections 4 and 5 of Privacy Act 
Policy reference: Sections 6.1.1, 6.2.6 and 6..2.9 to 6.2.13 of Directive on Privacy Practices and section 6.1.2 
and 6.4.1 of Directive on Social Insurance Number 

YES 


4.1 Dx] A "Privacy Notice" (adapted for either verbal or written communications) must be provided to the 
: individual at the time of collection and it must notify the individual of any of the following elements 
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that apply (please check all appropriate boxes): 

D a) The purpose and authority for the collection 
x] b) Any uses or disclosures that are consistent with the original purpose. 

| | c) Any uses or disclosures that are not related to the original purpose 

[| | d) Any legal or administrative consequences for refusing to provide the personal information 


[x] e) That the "individual to whom the information relates" has rights of access to, correction of 
and protection of personal information under the Privacy Act. (Applicable to video only 
records, and not applicable to audio and/or audio-video records obtained in interviews) 

|] f) Areference to the PIB for the program or activity 

| | g) Why the SIN is collected, how it will be used and the consequence of not providing it. 


AND, add a "Consent Statement" to the "Privacy Notice" as appropriate, if the personal information is to 
be used or disclosed for a purpose other than the original purpose or a consistent use, or, to authorize 
indirect collection of personal information. 


4.2 | | The “Consent Statement" must include, as applicable, the following elements (please check all 
: appropriate boxes): 


|_| a) The purpose of the consent and the specific personal information involved. 
| | b) In the case of indirect collections, the sources that will be asked to provide the information. 


[| c) Uses and disclosures that are not consistent with the original purpose of the collection and 
for which consent is being sought. 


| ] d) Any consequences that may result from withholding consent. 
[| e) Any alternatives to providing consent 


: 4.3 | | AND, implement controls and procedures to ensure that the institution keeps a record documenting 
2 whether or not an individual provided consent when it was sought, including a record documenting 
any withdrawal of consent when applicable. 


— Continue to Question 5 
NO 


4.4 [| The personal information necessary for the program or activity is not collected directly from the 


individual. It is collected indirectly, for example, from another program within the institution, or from 
another institution, government or third party. 


— Continue to Question 5 


: Is personal information collected indirectly from another source with the informed consent of the individual 
_ to whom it relates, or from a person authorized to act on behalf of the individual pursuant to section 10 of 
_ the Privacy Regulations? 


Statutory reference: Sections 4 and 5 of Privacy Act and section 10 of Privacy Regulations 


Policy reference: Sections 6.1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and sections 6.1.2 
and 6.4.1 of the Directive on Social Insurance Number 
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5 1 [| The notice and consent requirements stated at Question 4 apply. Please review the required 
| elements listed under "YES" at Question 4 and check the corresponding boxes below to indicate the 


elements that need to be included in the "Privacy Notice" or the "Consent Statement" (check all that. | 
PPN 


E 2 | | AND, cn controls and procedures to ensure the institution keeps a record documenting 


whether or not an individual provided consent when it was sought, including a record documenting 
any withdrawal of consent when applicable. 


5.3 | | AND, if information is being collected from persons authorized to act on behalf of minors, 

: incompetents or individuals who have been deceased for less than 20 years, implement appropriate 
mechanisms to ensure that such persons are authorized to act on behalf of individuals who do not 
have the capacity to provide consent. 

— Continue to Question 6 
NO 


5.4 [x] > Continue to Question 6 


Is personal information collected from another source without notice to or consent from the individual to 
whom the information relates? 


Statutory reference: Sections 4, 5, 7 and 8 of Privacy Act and section 10 of Privacy Regulations 


Policy reference: Sections 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices, section 6.2.15 of the Policy - 
on Privacy Protection and sections 6.3.2 and 6.3.3 of Directive on Privacy Impact Assessment 
YES 


6 1 a Where information is collected indirectly under any of the following circumstances without notice to, 


or consent from, the individual to whom it relates, please check the applicable boxes and explain as 
requested: 


[| | a) The collection is a result of a disclosure to the institution under subsection 8(2) of the Privacy 


Act. State the applicable paragraph(s) of subsection 8(2) and provide a brief explanation for 
ram 


[| b) Direct notification of the individual might result in the collection of inaccurate iore. or 


might defeat the purpose or prejudice the use for which the information is collected. Briefly 
Em why notice is not provided 


| lc) The information involved in the program or activity is to be used solely for a non- 


administrative purpose in which no decisions are made about the individuals to whom the 
information relates. 
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: 6.2 | ] AND, if any of the circumstances in a) b) or c) is applicable, ensure that it is reflected in the relevant 
| PIB. 


6.3 | | AND, if the information is to be used solely for a non-administrative purpose (box c above has been 

checked), ensure that the requirements under sections 6.3.2 and 6.3.3 of the Directive on Privacy 
Impact Assessment have been met, and that the decision of the official responsible for section 10 of — 
the Privacy Act to proceed with a PIA for the program or activity has been adequately documented in | 
the description of the program or activity in "Section | - Overview and PIA Initiation" of the PIA. 


6.4 | | OR, if none of the circumstances in a) b) or c) is applicable, then the personal information must be 
collected directly from the individual, or indirectly with the consent of the individual. Please review 
the responses to Questions 4 and 5 and ensure that the "Privacy Notice" or the "Consent 

Statement" includes all of the required elements listed under "YES" at Question 4. 


— Continue to Question 7 
NO 


6.5 Dx] All personal information is collected directly from the individual to whom it relates, or from another 
: source with notice to, or consent from, the individual or a person authorized to act on behalf of the 
individual (see Questions 4 and 5 above). 


— Continue to Question 7 


| Has Library and Archives Canada approved a records retention and disposal schedule that applies to the 
_ personal information? 


Statutory reference: Section 12 of Library and Archives Canada Act, sections 6, 10 and 11 of Privacy Act and 
section 4 of Privacy Regulations 


Policy reference: Sections 6.1.3, 6.2.11 to 6.2.13 and 6.2.23 of Directive on Privacy Practices 
YES 


7.1 [X] Please identify the Record Disposition Authority (RDA) and describe the retention and disposal 
| Schedule: 


For any record considered to be a transitory record, the RDA is MIDA 90/000: transitory records will 
be retained for 30 days and will be destroyed within 15 days of the expiration of that retention 
period. 


Recordings of any video monitoring activity must be retained for no less than thirty (30) days , 
following the date of their creation. Recordings that are used to obtain or provide information or to | 
investigate an allegation or complaint, or used as evidence in respect of an identifiable individual : 
shall be kept for the longer of two (2) years following the date of their creation, or following the 

date of their last use in an administrative action as information or as evidence in respect of that 
person. 


A RDA has been requested from Library and Archives Canada for all records which are not 

considered to be transitory. The request has not yet been approved; however itis the intention of 
the CBSA to retain these records in accordance with paragraph 4(1)(a) of the Privacy Regulations, for - 
a minimum of two years from the date of their creation. : 


| 2 51. AND, implement controls and procedures to ensure that personal information used to like a 
| decision that directly affects an individual will be retained for a minimum of two years after the last 
administrative action or, where a request for access to the information has been received, until such 
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: time as the individual has had the opportunity to exercise all his/her rights under the Act) 
; 7.3 | | AND, if the institution intends to dispose of personal information that has been used for an 
2 administrative purpose prior to the expiration of the two-year minimum retention standard 


established by the Privacy Regulations, it must obtain the consent of the individual to whom the 
information relates before doing so. 


: 7.4 DX] AND, the institution must cite the RDA number, the retention period and the disposition standards 
; for the personal information in the relevant PIB. 
— Continue to Question 8 
NO 


| 7.5 Provide a Records Disposition Submission to Library and Archives Canada describing the records 
| containing the personal information for which the institution requires a RDA. 


The CBSA has requested a RDA for all audio-video records that are not considered to be 
: transitory. 
7.6 [X] AND, obtain a RDA from Library and Archives Canada to allow the institution, under certain 
2 conditions, to dispose of records that no longer have operational utility for the program or activity. 


7.7 X AND, ensure that all the other applicable requirements listed under "YES" at Question 7 are met. 
—> Continue to Question 8 


Will measures be adopted to ensure that personal information used by the institution for an administrative 
purpose is as accurate, up-to-date and complete as possible? 


Statutory reference: Sections 6, 10 and 11 of Privacy Act and sections 10 and 11 of Privacy Regulations 


Policy reference: Sections 6.1.1 and 6.2.9 to 6.2.16 of Directive on Privacy Practices 


YES 


8.1 | | Please check any of the following measures that will be adopted to ensure accuracy of the personal 
2 information and provide details as requested: 


8.1.1 [X] Personal information will be collected directly from the individual to whom it relates or it will be 
validated with the individual or a person authorized to act on behalf of the individual. 


8.1.2 | | A data-matching process will be used to verify the accuracy of personal information against a 
"reliable source" (within or outside the institution) where this is authorized, or where consent 
was obtained. Please briefly describe the data-matching process and the source(s) that will be 
used to ensure accuracy of the information: 


from trusted sources (public or private) and verify accuracy against existing personal information 
before use. Please identify the sources and procedures to be used to check the accuracy of the 
information: 
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8.1.4 [| es ee methods will be used to identify errors and discrepancies. Please briefly describe 
ihese technological methods: 


E 2 | | AND, “if measures are adopted other than "direct collection or validation with the individual or with: a 


person authorized to act on behalf of the individual", the institution must implement appropriate 
controls and procedures to ensure that: 


a) the technique(s) and the specific source(s) used to validate or update the personal information 
are documented; 


b) individuals are given the opportunity, whenever possible, to request correction of any inaccurate 


personal information before the information is used in a decision-making process that affects 
them; 


c) personal information can only be modified or corrected by those within the institution who have 
the authority to do so; and 
d) when personal information is corrected or annotated, other authorized holders of the - 
information are notified about the correction or annotation and that all copies of the information 
: in the possession of the institution are corrected / annotated. 
8.3 | | AND, if appropriate, ensure that the “Privacy Notice" or “Consent Statement" and the relevant PIB 
: are amended to identify the data-matching activity including the source(s). 
—> Continue to Question 9 
NO 


8.4 mu eoe explain why such measures will not be adopted: 


: Will the personal information collected for the program or activity be used solely for the original purpose 
| for which it was obtained or compiled, a use consistent with that purpose, or a purpose for which the 
_ information was disclosed to the institution pursuant to subsection 8(2) of the Privacy Act? 


Statutory reference: Sections 5 and 7 to 11 of Privacy Act 


Policy reference: Sections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices, section 
6.2.15 of Policy on Privacy Protection and Section IV of Appendix C of Directive on Privacy Impact Assessment 
YES 


9.1 [X] Implement controls and procedures to ensure that access to the personal information for such 
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purposes will be limited to authorized individuals who need to know the information to perform their 
official duties 


9.2 Dx] AND, ensure that the “Data Flow Diagram" or “Data Flow Tables" completed for “Section IV — Flow of 

Personal Information" of the PIA identify the areas, groups and individuals (e.g., the positions) within 
the institution who have a need-to-know to access to or handle the personal information, including 
their geographical location and where the personal information will be stored or retained. 


| 9.3 [X] AND, if the purposes for which the personal information is used includes any use(s) of the 

: information for a non-administrative purpose, (such as research, statistical, audit and evaluation 
purposes) the institution will adhere to the requirements and principles in its "Privacy Protocol For 
Non-Administrative Purposes", in accordance with section 6.2.15 of the Policy on Privacy Protection, 
to address any impact that such non-administrative uses may have on privacy. 


— Continue to Question 10 
NO 


9.4 | | Identify below any other uses of the personal information, in other words, any routine uses that are 

| not directly related to the purpose of the collection, or, which are not consistent with that purpose 
or for which the information was disclosed to the institution pursuant to subsection 8(2) of the 
Privacy Act: 


9.5 [| AND, ensure that these other uses are reflected in the relevant PIB 


9.6 [| AND, include a description of these other uses in the "Privacy Notice" or "Consent Statement", as 
: appropriate, 


| | AND, ensure the all the other applicable requirements listed under "YES" at Question 9 are met. 


— Continue to Question 10 


. Will personal information be disclosed for purposes directly related to the administration of the program or 
. activity? : 


Statutory reference: Sections 5 and 8 to 11 of Privacy Act. 


Policy reference: Sections 6.2.10, 6.2.11 and 6.2.13 of Policy on Privacy Protection, sections 6.2.1 to 6.2.3 of - 
Directive on Social Insurance Number, sections 6.1.9, 6.2.9 to 6.2.13 and 6.2.15 to 6.2.20 of Directive on Privacy : 
Practices and section IV of Appendix "C" of Directive on Privacy Impact Assessment ) : 


Also see "Guidance for Preparing Information-Sharing agreements Involving Personal Information" and “Taking : 
Privacy into Account Before making Contracting Decisions 


| YES 
: 10.1 Dx] Please check all applicable boxes below and, for each disclosure, identify the name of the 


organization or third party to which personal information will be disclosed. If it is disclosed within 
the institution, please identify the branch and the program or activity. 


10.1.1 Dx] Within the institution for another program or activity — specify 


Criminal Investigations, Security and Professional Standards, Intelligence, Inland 
Enforcement 
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i | Provincial, municipal and local police agencies, such as the Ontario Provincial Police, the 
- Sureté du Québec, and Halifax Regional Police 


. Written Collaborative Arrangements exist between the CBSA and the following countries 
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! Airport and Bridge Authorities, such as the Greater Toronto Airport Authority (Applicable 
| to video only records, and not applicable to audio and/or audio-video records obtained in 
| interviews) 


| 10.2 [X] AND, ensure that: 


a) any such disclosure is made in compliance with section 8 of the Privacy Act, which allows 
disclosures of personal information with consent of the individual to whom the information 
relates (subsection 8(1)) or without consent in certain and limited circumstances pursuant to 
subsection 8(2) of the Act; 


b) only personal information elements that are necessary for the intended purpose are disclosed; 
c) theorganization or third party receiving the personal information is authorized to do so; 


d) administrative, physical and technical safeguards appropriate to the sensitivity of the information 
will be applied to protect the information during and after its transmission (see Question 15); 


e) theorganization or third party to which the personal information will be disclosed for the 
administration of the program or activity are identified in the "Consistent Use" section in the 
relevant PIB in /nfo Source, including the specific purpose of the disclosure; 


f) the "Privacy Notice" or "Consent Statement" describes any disclosures of information; and, 


g) the "Data Flow Diagram" or "Data Flow Tables" completed in "Section IV — Flow of Personal 
Information" of the PIA include details on the disclosed personal information: 


: 10.3 [X] AND, any disclosure of personal information to another federal institution or outside the 

: Government of Canada is governed by a formal agreement or arrangement (e.g., a Memorandum of 
Understanding, an accord, a contractual arrangement, etc.) to ensure that appropriate privacy 
protection clauses are included, and, where applicable, include provisions for inter-jurisdictional or 
transborder flows of personal information. Such clauses must cover the following topics: 


a) Control over personal information, where appropriate. 
b) Limitations on the collection, retention, use and disclosure of personal information. 


c) Measures (administrative, technical and physical) to protect the integrity and confidentiality of 
personal information. 


d) Measures governing the disposition of the personal information, where relevant 


e) Measures to ensure or verify that the personal information is only used for the purposes related 
to the agreement, arrangement or contract. 


f) Obligations are to be extended to other parties such as subcontractors. 
— Continue to Question 11 
: NO 
10.4| | There is no disclosure of personal information within or outside the institution for purposes that are 
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directly related to the administration of the program or activity. 


— Continue to Question 11 


: Will controls and procedures be implemented to account for any new use or disclosure of the personal 
information that is not included in the relevant PIB published in Info Source? 


Statutory reference: Sections 7 to 11 of Privacy Act and section 4 of Privacy Regulations 
Policy reference: Sections 6.1.9 and 6.2.2 of Directive on Privacy Practices 
- YES 
11.1 [X] Appropriate controls and procedures have been or will be implemented to ensure that: 


a) the head of the institution or the appropriate delegate is notified about any new use or 
disclosure of personal information that is not reflected in the PIB description published in /nfo 
Source; 


b) the consent of the individual to whom the information relates is obtained in writing, as 
appropriate, prior to any new use of the information for an administrative purpose that is not 
reflected in the relevant PIB published in /nfo Source, unless the new use is considered to be 
consistent with the purpose for which the personal information was obtained or compiled and 
the Privacy Commissioner is notified forthwith regarding the new consistent use; 


C) except as permitted under subsection 8(2) of the Privacy Act, any disclosure of personal 
information for a purpose that is not reflected in the relevant PIB published in /nfo Source will 
only be made with the consent of the individual to whom the information relates; 


d) arecord is kept for any new use or disclosure of personal information not described in the : 
relevant PIB published in /nfo Source, and that this record is stored with the personal information 
to which it relates and retained for a minimum period of two years following such a use or 
disclosure 


e) if the information is disclosed to a federal investigative body under paragraph 8(2)(e) of the | 
Privacy Act, the record of disclosure will be kept in a separate PIB for a period of two years where | 
it will be available to the Privacy Commissioner for review upon request; | 


f) the Privacy Commissioner is notified forthwith, as required under subsection 9(4) of the Act, of 
any new use or disclosure that is consistent with the purpose for which the information was 
obtained or complied, but which is not reflected in the relevant PIB published in /nfo Source; 


g) the relevant PIB is amended in time for the next edition of /nfo Source to include any new use(s) 
or disclosure(s) that are consistent with the purpose for which the information was obtained or 
compiled, as well as any routine use(s) or disclosure(s) that do not fall within the categories of 
purpose of collection or consistent use; and 


h) the Privacy Commissioner is notified prior to or forthwith, as required under subsection 8(5) of 
the Act, about any disclosures made or to be made in the public interest or in the interest of the 
individual to whom the information relates. 


i) Other, specify 
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— Continue to Question 12 
NO 


Er 2 |_| Please explain why such controls and procedures will not be implemented (provide adequate 
eee 


Has a Statement of Sensitivity (SoS) or similar analysis been completed to assess the degree of sensitivity of 
the personal information to be collected and retained for the program or activity? 


Statutory reference: Sections 7 and 8 of Privacy Act. 


Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 of 
Directive on Privacy Practices, Policy on Government Security, Operational Security Standard: Management of 
Information Technology Security (MITS 

YES 


12.1 [X] The information contained in the SoS or similar analysis has been taken into account when assessing 
the level of risks to privacy in "Section 2 - Risk Area Identification and Categorization" of the PIA. 


— Continue to Question 13 
NO 


12.2| | Please explain why a SoS or similar analysis was not considered necessary to assess the sensitivity of 
the information. 


Has a Threat and Risk Assessment (TRA) or a similar security assessment been completed for the program or 
| activity? 


Statutory reference: Sections 7 and 8 of Privacy Act. 


Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 of 
Directive on Privacy Practices, Policy on Government Security, Operational Security Standard: Management of 
Information Technology Security (MITS) 

YES 


13.1 [X] Reference the title of the TRA or other security assessment in “Section VII — Supplementary 
: Documents List" and provide a brief synopsis of the assessment in the space below: 


TRAs have been completed for 8 sites, representing highway (land and bridge), air, rail, 
marine, inland and commercial operations. 


The TRAs have identified eleven significant residual risks as stated in the attached summary. 
and noted that the residual risk level for each site is: High 
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The TRAs have identified 54 recommendations to mitigate the assessed risks to a lower 
level. 


Once the 54 recommendations are fully implemented the overall projected residual risk 
level for this assessment is: Low 


: 13.2 gl AND, obtain assurances from the officials responsible for the program or activity that the measures 
- recommended in the assessment have been implemented to ensure the confidentiality, availability 
and integrity of the personal information. 


13.3| | AND, ensure that any residual risks to personal information are known and accepted by the 
| executive or senior official responsible for the program or activity and the Head or delegated 
authority for the Privacy Act. 


— Continue to Question 14 
NO 


13.4| | If a TRA or similar security assessment is underway, simply reference that fact in the space below and 
| indicate when it is likely to be completed. If there is no intent to complete one, please explain. | 


Please identify below any administrative, physical and technical safeguards in place, or to be implemented, 
: for this program or activity to ensure the confidentiality, availability and integrity of the personal 
information. 


Statutory reference: Sections 7 and 8 of Privacy Act 


Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 of 


Directive on Privacy Practices, Policy on Government Security, Operational Security Standard: Management of 
Information Technology Security (MITS 


Please check all that apply, including safeguards identified by the TRA or similar security assessment. 
14.1 Administrative safeguards 

Dx] Internal security and privacy policies and procedures 

Dx] Staff training on privacy and the protection of personal information 

X] Screening and security checks of employees 

Dx] Appropriate security levels for employees who will have access to personal information 


DX] Contingency plans and documented procedures in place to identify and respond to security and 
privacy breaches 


| | Regular monitoring of users’ security practices 


Dx] Methods to ensure that only authorized personnel who need to know have access to personal 
information 


NE Other — please describe 
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14.2 Physical safeguards 
DA Restricted access areas 
[| Security guards 
D Identification badges are worn by staff at all times 
After hours alarms and monitoring systems 
Locked filing cabinets 
Combination locks 
Safes 
Cipher locks 
Key cards 


DT XI LI XI LI PS È< 


Video surveillance (closed-circuit television) 
bx] Secured server locations 

|_| Backups secured off-site 

|_| Other — please describe 


14.3 Technical safeguards 

Role-based user authorization and authentication 

Biometrics 

Passwords (minimum of 6 characters long, include alpha and numeric characters) 

Passwords are changed by users every 90 days and recently used passwords cannot be re-used) 
Password protected screensavers 


Session-time out security (automatically locks an account after a session has been idle for a 
specified amount of time) 


Firewalls 

Intrusion Detection System (IDS) 
Virtual Private Network (VPN) 

|_| Encryption of sensitive information 


BEEN AMEN 


[| | Government of Canada Public Key Infrastructure Certificates (PKI) 
|_| External Certificate Authority (CA) 

| | Audit trails 

|_| Other - please describe 
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. Will the information system(s) used to deliver the program or activity employ cookies or other tracking 
| technologies to collect personal information about users and their transactions? 


Statutory reference: Sections 4 to 10 of the Privacy Act and section 4 of Privacy Regulations 


Policy reference: Subsections 6.1.1, 6.1.3, 6.1.9, 6.2.9 to 6.2.13, 6.2.17 and 6.2.23 of Directive on Privacy 
Practices 


YES 


| 15.1| ] The specific tracking technologies to be used is adequately described under Part F: Technology and 
Privacy of "Section Il — Risk Area Identification and Categorization” of the PIA; 


15.2 L| AND, the collection of any personal information using such technologies is reflected in the relevant 
| PIB and in “Section III — Analysis of Personal Information Elements" of the PIA; 


15.3[| | AND, the use of such technologies to collect information about users and their transactions is 
: adequately reflected in the "Privacy Notice"; 


15.4| | AND, those responsible for implementing and using tracking technologies to collect personal 
: information or who may have access to personal information collected through these methods are 
made aware of privacy and security policy requirements; 


15.5 [| AND, where personal information collected through such tracking technologies is used to make a 
decision that directly affects the individual to whom the information relates, it will be retained for a 
minimum of two years after the last administrative action as required under the Privacy Regulations. 


— Continue to Question 16 
NO 


15.6 [X] Tracking technologies are not used to collect personal information about users. 


— Continue to Question 16 


Will the new or modified program or activity result in new or increased surveillance or monitoring of a 
| targeted population? 


Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of the 

Charter of Rights and Freedoms 

Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices 
YES 


: 16.1 Dx] Consult with your legal advisors to determine whether or not such surveillance or monitoring 
: activities raise any issues relating to the Charter of Rights and Freedoms, the Privacy Act or other 
applicable acts. 


- 16.2 [X] And, ensure the surveillance or monitoring method(s) to be used, the characteristic(s) of the 
targeted population and the scope of the surveillance or monitoring are adequately described under 
Technology and Privacy of "Section Il — Risk Area Identification and Categorization” of the PIA. 


16.3 [X] AND, any personal information collected or created as a result of such surveillance or monitoring is 
: described in the relevant PIB and in Section III — Analysis of Personal Information Elements" of the 
PIA. 


: 16.4 Dx] AND, the collection or use of personal information through surveillance or monitoring is adequately 
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reflected in the "Privacy Notice", unless such notification might result in the collection of inaccurate 
information or defeat the purpose or prejudice the use for which the personal information is 
collected. 


| | If notice about surveillance or monitoring will not be provided, please explain why: 


16.5 [X] AND, those responsible for implementing and using such surveillance or monitoring method(s) or 
| who may have access to personal information collected or created through these methods are made 
aware of privacy and security policy requirements. 


— Continue to Question 17 


16.6 L| The new or modified program or activity will not result in surveillance or monitoring. 


— Continue to Question 17 


Does the program or activity involve compliance/regulatory investigation or law enforcement, surveillance 
or intelligence gathering that targets specific individuals against whom penalties, criminal charges or 
sanctions may be applicable? 


Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of the 
Charter of Rights and Freedoms 


Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices 
YES 


17.1 Dx] Consult with your legal advisors to determine whether or not the compliance/regulatory 
| investigation or law enforcement activities raise any issues relating to the Charter of Rights and 
Freedoms, the Privacy Act or other applicable acts. 


17.2 [X] AND, identify the legislative authority and the specific regulatory or law enforcement purpose 


The activity is undertaken in accordance with Canada Border Services Agency Act, 
paragraph 5(1)(a) 


: 17.3 [| AND, if the legislative authority differs from the legal authority for the program or activity, ensure i 
is adequately reflected in the response to Question 1 of "Section V — Privacy Compliance Analysis" 
and in "Section | — Overview and PIA Initiation "of the PIA. 


: 17.4 Dx] AND, any personal information collected or created as a result of such regulatory or criminal 
enforcement, surveillance or intelligence gathering program or activity is described in the relevant 
PIB and in "Section III — Analysis of Personal Information Elements" of the PIA. 


| 17.5 [X] AND, the collection or use of personal information through these compliance / regulatory 

| investigation or enforcement activities is adequately reflected in the "Privacy Notice", unless such 
notification might result in the collection of inaccurate information or defeat the purpose, or 
prejudice the use, for which the personal information is collected. 


| | If notice about the compliance/regulatory investigation or law enforcement activities will not be 
provided, please explain why: 
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NO 


: 17.6 |_| The program or activity does not involve the conduct of regulatory or criminal enforcement, 
| surveillance or intelligence gathering. 


Note: The table below can be used to keep an account of actions completed and to track outstanding actions required to 
achieve privacy compliance: 


Privacy Compliance | Action required to support legal and policy compliance : Done To be 
Analysis question # | (cross reference to relevant question of Section 5 — Privacy Compliance done 
| Analysis) | | 
1 | Legal authority for the program has been established and is reflected Dx L | 
_ in the relevant PIB. 
2 | a) The categories and elements of personal information to be 
... collected for the new program have been carefully assessed based, - | 
for example, on the institution's experience gained with the x C] 


administration of a similar program. The personal data collected 
will be limited to only that which is required.) 


| b) These categories and elements of personal information have been | x E 
=- described in the relevant PIB for the program. | 


c) Controls and procedures will be implemented to ensure that the | x u 
|. institution does not collect more personal information than | 
necessary for the program and that a continuing need exists for 
that information and its collection. 


4 and 5 _a) All of the requisite “Privacy Notices" and “Consent Statements" : | 
| that meet the requirements of sections 6.2.9 to 6.2.12 of the L[] X 
Directive on Privacy Practices have been drafted.(Texts of the : 
notices and consent statements may be included here.) 


| ***To be posted on the CBSA web site*** x O 


: b) Controls and procedures have been implemented to keep records 
-of individual consents, and to ensure that persons acting on behalf 
of individuals who do not have the capacity to provide consent 

have the authority to do so under section 10 of the Privacy 


Regulations. 


7 .a) A Records Disposal Authority (RDA) has been approved by Library — | 
|. A and Archives Canada to authorize the disposal of the records O OR 
| containing personal information for the program. : 
: b) Controls and procedures have been implemented within the X L] 
: program and the ATIP Office to ensure that information that has - | 
been used for an administrative purpose will be keep for the 
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minimum retention period established by the Privacy Regulations. 


: c) Reference to the RDA, the retention period and the disposition [| | Dx] 
| standards for the program have been cited in the relevant PIB. | 


8 | Controls and procedures are in the process of being implemented to _ | 
_ ensure that the personal information associated with the program is XJ O 
| as accurate, complete and up-to-date as necessary. ; 
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SECTION 6 - Summary of Analysis and Recommendations 


**Please see PIA Action Plan** 


SECTION 7 - SUPPLEMENTARY DOCUMENTS LIST 


Additional documents used or related to the PIA may include: 


CBSA Policy on the Overt Use of Audio-Video Monitoring and Recording Technology 
CBSA Directives on the Overt Use of Audio Video Monitoring and Recording Technology 
CBSA Comptrollership Manual — Security Volume Chapter 6: Storage of Sensitive 
Information and Assets 

CBSA Comptrollership Manual — Security Volume Chapter 8: Disposal of Sensitive 
Information and Assets 

CBSA Policy on the Use of Wireless Technology 

Customs Act, s. 107 

D1-16-1 and D1-16-2 

Policy Guidelines on the Disclosure of Customs Information - Section 107 of the Customs 
Act 

EN Manual Pt7 Ch3 

CCTV Class of Records 

CCTV Personal Information Bank 

CBSA /nterim Video Review, Retention, Disclosure and Destruction Policy 

MOU between Calgary International Airport and CBSA 

Video Recording and Monitoring Privacy Notice 

Video Surveillance Signage 

Audio and Video Signage 

Video Surveillance Sign Locations 

Privacy Notification given at interview rooms, primary inspection areas, secondary 
inspection areas and cash/information counters 

Inventory of Cameras 

PIA Action Plan 

TRA Summary 

TRA Action Plan 

Forensic Audio Video Analysis 
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The following signature represents a 

| commitment to comply with sections 4 to 8 of 
the Privacy Act and the related privacy policy 

| requirements outlined in the PIA as they relate to 
: the administration of the identified program or 

: activity. 


Signature of PIA lead for program or activity 


Date 


| Note: Responsibility for sections 4 to 8 of the Privacy 

: Act rests with all employees of government 

| institutions that handle personal information. Officials 
| who manage such programs and activities are 

: responsible for ensuring that such requirements are 

: implemented as part of the administration of the 

| program or activity. 


The following signature represents a commitment 
by the Head of the institution or his/her 
delegate(s) who is responsible for establishing 
personal information banks in accordance with 
section 10 of the Privacy Act. 


Signature of Head of the institution or the 
delegate responsible for Section 10 under the 
Privacy Act 


Date 


Note: Under the Privacy Act, the Head or his/her 
delegate(s) is responsible for complying with legal and 
relevant privacy policy requirements related to the 
approval and registration of personal information 
banks 


Approval beyond the above sign-off should be inserted here : 


(Signature of the title of the official) 


OR 


(Signature of the chair of the relevant governance committee) 


Date 
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Border Processing Unit 
Traveller Transformation — Land Rail and Marine Division 
Programs Branch 


Name of Program / Activity / Service PIA 


| April 18,2017. 
| April 20, 


| Renee Uvanile 
| Renee Uvanile 


$ 

E 

— | from ATIP, E 
| rom Madon 
i 


| Aprit 27, 201 
| May 4, 2017 
| May 18, 2017 


| Maria Romeo 
| Renee Uvanile 


| Comments (in track changes) — — 
| Update regarding U.S. cellular 


an 
. Processing Unit 
| Director 


| A/Manager, Corporate 
| Affairs Branch 


Ron.Warren@chsa-asfc.gc.ca 


Neil.O'Brien@cbsa-asfc.gc.ca 
| 343-291-6985 


er, ATIP 


| Neil O’Brien | 


| and Consultation | 343-291-6916 
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| E Privacy Impa ct Assessment Date / Version: | YYYY-MM-DD (Date sent to OPC) 
of the Privacy Commissioner file #: 


Government Official Responsible for PIA: —  ć 
| Delegate for section 10 of the Privacy Act: 
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[EXECUTIVE SUMMARY 
Entry/Exit Wireless Hand held Devices 


Wireless handheld devices will be introduced to support the Entry-Exit Initiative and Beyond | 
the Border Action Plan. The devices will be equipped with a mobile version of the Integrated | 
Primary inspection Line (IPIL) application (i.e. mobile IPIL) to facilitate the secure and accurate 
capture and risk assessment of individual traveller and conveyance information. The devices 

will be deployed at Canada Border Services Agency (CBSA) service points which are not 

equipped with primary inspection booths. In addition, they will be deployed to ports of entry 

where primary inspection booths are present but do not support processing of all types of 

traveller processing. An example of this would be bus processing at large ports where 

workstations are only available in adjacent booths or buildings but not where officers process | 


to complete traveller processing on the bus rather than offloading passengers. 


At most ports of entry, booths equipped with IPIL Air and Highway along with fixed 
workstations and document readers provide BSOs with a means of capturing traveller and 
conveyance (licence plate) information for risk assessment against customs and enforcement 
em databases. Where no booth is available, BSOs must take licence plate and traveller 
information and run it at an IPIL workstation in an office adjacent to the primary inspection 
line. This forces the BSO to turn his/her back to the traveller and leave them unattended. | 


and risk assess conveyance and traveller information while remaining with the traveller, just 
as they would today if they were working at a site with primary inspection booths. 


This will increase security by providing BSOs with at hand access to information used in 
determining the travellers’ admissibility. It will also streamline the entry process for our less 
automated ports and processes such as bus clearance. There will be no change to the type of 
information gathered today, only a change to the technology used to facilitate the collection. 


At this time mobile devices are slated for deployment to 72 ports of entry and will be used to | 
process travellers arriving via personal conveyance, bus, air and train. Deployment is starting 
at test sites (soft-launch) in June and then rolling out nationally in August 2017. 


Protecting Your Personal Information 


The following personal information elements related to the traveller will be handled by the wireless 
device: 


M 
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While the mobile handheld device introduces a new means for capturing traveller and conveyance 
information, the type of data collected remains unchanged. Under normal circumstances there will be 
no traveller data stored on the device and information in transit will be encrypted with access limited 
to authorized users. The collection of information will be facilitated by handhelds. 


The handheld is a tool used by the BSO to collect information directly from the traveller and verify it 
against information that is already held within CBSA information holdings. All information collected 
will be held within the CBSA's existing Integrated Customs System (ICS) platform. ICS is a common 
framework that encompasses both commercial and passenger-traveller streams and is comprised of a 
number of components (e.g. Passage History, Secondary Processing). 


Right of Access 

individuals may formally request access to their personal information, or access to corporate records 
related to the wireless handhelds by filing a request with the Access to Information and Privacy 
Division. More information about this can be found on the Access to Information and Privacy page. 
Accountability 

Individuals with concerns about e collection, use, disclosure c or rete ntion ar their bai 


shou uld be made i in writing, and include 1 the individuals: name, contact i information, ies a brief . 
description of their concerns. Contact the Access to information and Privacy Division at the CBSA 
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r Integrated Customs Enforcement System 


Lr Identification 


: Secondary Processing | 
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| DEFINITIONS 

| Action Plan | The Action Plan describes the steps that the Program will take to address risks that have 

; : been identified by ATI and Privacy Division, Office of the Privacy Commissioner of Canada 
: (OPC) and Treasury. Board Secretariat (TBS). 

à ministrative purpose | The Privacy Act defi nes an "administrative purpose" to be the use sofa an vindividuaf's $ 

| personal information in a decision- making process that directiy affects that individual. 

Consistent use - is a use that has a reasonable and direct connection to the original purpose(s) for which - 

| _ the information was obtained or compiled. This means that the original purpose and the 
| proposed purpose are so closely related that the individual would expect that the 
| information would be used for the consistent purpose, even if the use is not spelled out. 

Data Matching : A comparison of personal data obtained froin a variety of sources, including personal 

: | information banks, for the purpose of making decisions about the individuals to whom 
the data pertains. Data matching is a specialized activity involving the collection, use and 
- disclosure of personal information that is subject to the various requirements of the 
, Privacy Act. 

: info Source Is a series of annual TBS publications i in which government i institutions are required to 

: _ describe their institutions, program responsibilities and information holdings, including PIBs 
and classes of personal information. The descriptions are to contain sufficient clarity and 
: detail to facilitate the exercise of the right of access under the Privacy Act. Data-matching 

- : sue use of the SIN and a activities for v which privacy impact a assessments were 


2 also ses contact formation for government institutions as ; well as summaries sof: a 
. Cases and statistics on access requests. 


| Personal Information. | Information about an identifiable individual as defined in section 3 of the Privacy Act. This 
: - definition, although lengthy, is not exhaustive, as indicated by the introductory phrase, 

_ "including, without restricting the generality of the foregoing". Information that is not 

| specifically mentioned in the list my SER ne incladed: in i the ipe of ‘ts 


I ni nn cr EEE RSS 


2 Personal information Bank | ls a description of personal information that is organized and retrievable by a person's 

: , name or by an identifying number, symbol or other particular assigned only to that person 
| The personal information described in the personal information bank has been used, is 
. being used, or is available for an administrative purpose and is under the control of a 
: government institution. 


RR 


Privacy - The OPC describes "privacy" as ^... the right to control access to one's person and 
: | information about one's self. The right to privacy means that individuals get to decide what 
_ and how much information to give up, to whom it is given, and for what uses." 


' Mobile De |. Mobil e Device Management {MDM) is a roles based service that will be leveraged tc to push | - 
| Management | policy to devices for standard configuration, provide remote support to devices, implement | 
~ | security controls and provide reports on usage and performance of mobile devices. 
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| SECTION 1 - OVER 


Report Obiectives 


This report is a Privacy Impact Assessment (PIA) for the Entry/Exit wireless handheld devices. The 
introduction of wireless handheld devices will facilitate the secure and accurate capture and risk 
assessment of individual traveller and conveyance information at CBSA service points which are not 
equipped with primary inspection booths and in environments where traditional systems access is not 
readily available (such as bus processing). 


The objectives of this PIA are: 

+ to review the business processes in order to identify the data flow of personal information; 

+ to analyze the collection, use, disclosure and retention of personal information; 

+ to determine if there are privacy risks associated with the introduction of mobile devices in primary 
processing; and 

+ to provide recommendations on the mitigation or elimination of the risks. 


The information presented in this report follows the Treasury Board of Canada Secretariat (TBS) PIA 
policy and guidelines. 


The purpose of a PIA process is to ensure that privacy is considered throughout the project development 
cycle. The results of a PIA are a documented guarantee that privacy issues have been identified and 
adequately addressed. 


PRESS 


Government institution: CBSA / Programs Branch 


Government Official Respo nsible for the Privacy Head of the government institution / Delegat 


impact Assessment section 10 of the Privacy Act | 


Martin PP Vice President, Programs Branch Dan Proulx, Director, Access to Information and 
Privacy Division 
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processed v within established. service e standards. Border « services s office icers s conduct huet inte | 
commercial carriers and then make: is 3 on to aliow the entry of a person or shi 


dec ‘ c n sto admit ther person c or sr refer them for fu 
areas exar nination. f For r private and corp 


denied entry to C Canada, 


1.3.3 Rail Mode - The Rail Program identifies and interc 
entry at a rail port of entry or rail yard while en: 
established service standards. Rail operators ar 
| CBSA at or rene or rto arrival i in ? Canada. Border b f^ 


e payment of duties indi taxes, : suai ice fac m ud 121 € 
- investigation of amie is required, 


Canada Border Services MENO) 


Entry/Exit Wireless Handhelds PIA 


Description ¢ of the class of records associated with the program or activity: 


c ae information c Center r (NCIC, c Client $ Status € s Query » (Gt Modern V Wer . 


|_| Proposal for a New Personal information Bank 
| Proposal to modify an existing Personal Information Bank - identify PIB registration number and current 
description: 


Traveller Processing 


Description: This bank describes information about individuals who enter Canada by way of a 
Canadian port of entry. This consists of persons - including pedestrians - aboard any personal or 
commercial conveyances, including crew. The personal information collected may include: 
name, contact information, citizenship, date of birth, place of birth, gender, date and time of 
entry, port of entry, travel document type (e.g., passport) including identification number and 
country of issuance, membership program information — i.e. NEXUS, residency, and Field 
Operations Support System (FOSS) ID number. in the land mode, passenger vehicle license plate 
information is collected. 


Note: In addition to the requirements specified on the Treasury Board of Canada Secretariat 
Personal Information Request form, individuals requesting information described by this bank 
must provide the subject and date of examination at the border as well as the location of the 
port of entry. Bank formerly called CIC PPU 001. 


Class of individuals: General travelling public. 


NS 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Purpose: The personal information is used in support of the administration of traveller 
processing activities. The personal information captured creates a passage history and allows 
the CBSA to initiate "real time" queries against enforcement actions and lookouts. Personal 
information is collected pursuant to R41 and R40 of the Immigration and Refugee Protection 
Regulations. 


Consistent Uses: The information may be used or disclosed to assist CBSA's enforcement 
program, for program evaluation and for reporting purposes. The information may also be 
disclosed in support of domestic law enforcement and other partner agencies for the purpose of 
administration and enforcement of Acts of Parliament. 


and then are destroyed. 


RDA Number: 2006/004 


TBS Registration: 20110290 


Bank Number: CBSA PPU 1101 
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Special Import. Measures a 


(b) that the Governor in Council or Parlia 
an n employee of the Agency tc to enforce, i 


Summary of the initiative: 


| The introduction of handheld devices during primary processing will allow a BSO to capture and risk 
assess conveyance and traveller information while remaining with the traveller. The devices will have a 
mobile version of the Integrated Primary Inspection Line (IPIL) application (i.e. mobile IPIL) to facilitate 
the secure and accurate capture and risk assessment of individual traveller and conveyance 
information at CBSA service points which are not equipped with primary inspection booths and in 
environments where traditional systems access is not readily available (such as bus processing). The 
deployment of handhelds will introduce an additional tool in support of traveller processing and will 
not replace existing infrastructure at the port of entry. 


The introduction of handhelds will increase security by providing BSOs with at hand access to 
information used in determining the travellers’ admissibility. It will also streamline the entry process 
for our less automated ports and processes such as bus clearance. There will be no change to the type 
of information gathered today, only a change to the technology used to facilitate collection. 
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Re 


At this time, mobile devices are slated for deployment to 72 ports of entry and will be used to process 
travellers arriving via personal conveyance, bus, air, marine and train. Deployment is scheduled to 
begin in June 2017. 


Eligible Travellers 


All travellers arriving in Canada may have their information processed using a wireless handheld device. 


Wireless Handheld Processing 


When using a wireless handheld device, a BSO will approach a traveller or conveyance to obtain licence 
plate (as relevant) and traveller information. When processing a conveyance, licence plate information 
will be entered manually by the officer. Details from the travel documents will be read by the device 
using the Machine Readable Zone (MRZ) of the document or will be manually entered by an officer. 
Entry of conveyance and traveller details will initiate a risk assessment against CBSA systems and checks 
against relevant immigration databases. The results will be returned on the device to assist the officer in 
making his/her admissibility determination. The traveller will not interact with the device at any time. 


interaction with CBSA Officers 


Travellers will be met by a BSO in the same manner that they are met today. Changes to processing may occur as 
follows: 


Highway: Officer will complete primary processing with the traveller and will not leave them unattended. In bus 
processing, an officer may board the bus to complete primary processing. 

Air: Officer may complete primary processing on the tarmac or on the aircraft. 

Marine: Officer may complete primary processing on the dock or on the marine vessel. 

Rail: Officer may complete primary processing on the train. 


ORIZATION 


SECTION 2 - RISK AREA IDE 


NTIFICATION AND CATEGC 


Type of Program or Activity 


Program or activity that does NOT involve a decision about an identifiable individual 


: Administration of Programs / Activity and Services 


2 Compliance / Regulatory investigations and enforcement 
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_ individual or provided with the consent of the individual for disclosure under an authorized 

| program. 

Personal information, with no contextual sensitivities after the time of collection, provided by [ 12 
_ the individual with consent to also use personal information held by another source. 

| Social insurance Number, medical, financial or other sensitive personal information and/or the 
context surrounding the personal information is sensitive. Personal information of minors or 
 incompetent individuals or involving a representative acting on behalf of the individual. 
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily 

_ samples and/or the context surrounding the personal information is particularly sensitive. 
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Program or Activity Partners and Private Sector Involvement Level of Risk 
Within the CBSA (amongst one or more programs within the CBSA) 
With other federal institutions 


With other or a combination of federal/ provincial and/or municipal govern ment(s) 


Duration of the Program or Activity _ — | Level of risk 


One time program or activity m 
Typically involves offering a one-time support measure ín the form of a grant payment as a social support 
mechanism. 

Short-term program i [ ]2 


A program or activity that supports a short-term goal with an established "sunset" date. 


Long-term program 
Existing program that has been modifi ed or is established v with no clear Sunset". 


Ther program n atfects certain employees for internal administrative purposes. 
The program affects all employees for internal administrative purposes. 


The program affects certain individuals for external administrative purposes. 


The program affects all individuals for external administrative purposes. 


Canada Border Services Agency 


Divulgation en vertu de la loi sur l'Accès à l'information 


CBSA - Released under the Access to Information Act. 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Entry/Exit Wireless Handhelds | PIA 


Canada will not 


Technology and Privacy 

6.1 Does the new or modified program or activity involve the implementation of a new electronic YES 
system, software or application program including collaborative software [or groupware) that [TNO 
is implemented to support the program or activity in terms of the creation, collection or EL 
handling of personal information? 


6.2. Does the new or modified program or activity require any modifications to IT legacy systems 
and / or services? 


6.3 Doesthe new or modified program or activity involve the implementation of one or more of 
the following technologies: 

6.3.1 Enhanced identification methods: (| YES 
This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, ><] NO 
fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy 
pass technology, new identification cards including magnetic stripe cards, "smart cards" 

(i.e. identification cards that are embedded with either an antenna or a contact pad that 
is connected to a microprocessor and a memory chip or only a memory chip with non- 
programmable logic). 


6.3.2 Use of Surveillance: 
This includes surveillance technologies such as audio/video recording devices, thermal 
imaging, recognition devices, RFID, surreptitious surveillance / interception, computer 
aided monitoring including audit trails, satellite surveillance etc. 


6.3.3 Use of automated personal information analysis, personal information matching and X] YES 

knowledge discovery techniques: z NO 
- For the purposes of the Directive on PIA, CBSA is to identify those activities that involve 

the use of automated technology to analyze, create, compare, cull, identify or extract 
personal information elements. Such activities would include personal information. 
matching, record linkage, personal information mining, personal information comparison, 
knowledge discovery, information filtering or analysis. Such activities involve some form 
of artificial intelligence and/or machine learning to uncover knowledge (intelligence), 
trends/patterns or to predict behaviour. 
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Personal Information Transmission | — | _ Level of Risk 
The personal information is used within a closed svstem. WE: 


No connections to internet, Intranet or any other system. Circulation of hardcopy 
un documents is controlled. 


The personal information is used in system that has connections to at least one other system. 


The personal information is transferred to a portable device or is printed. 
USB key, CD-Rom, laptop computer, any transfer of the personal information to a 
different medium. 


The adici: information i is s transmitted using wireless dedican 


Level of Risk 


Cina Border Services TAS 
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Managerial harm. — [ 314 
Processes must be reviewed, tools must be changed, change in provider / partner. 


Organizational harm. 


Changes to the organizational structure, changes to the organizations decision-making 
structure, changes to the distribution of responsibilities and accountabilities, changes to 
the program activity architecture, departure of employees, reallocation of HR resources. 

Financial harm. | E 3 
Lawsuit, additional moneys required reallocation of financial resources. 

Reputation harm, embarrassment, loss of credibility. 
Decreased confidence by the public, elected officials under the spotlight, institution 
strategic outcome compromised, government priority compromised, impact on the 
Government of Canada Outcome areas. 
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| Risk Impact to the Individual or Employee | _ Level of Risk 
inconvenience, : FE 


Reputation harm, embarrassment. 


Financial harm. x13 


Physical harm. 
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Category C a 5| Personal Information : Personal Information | ee - à | Pinto i Necesas 
onal | Element : Sub-Element : pu ud : of tement 


: Name | 1) Last name, first name, | Electronic ; Derived tom the : To document border crossing; identify travellers in existing CBSA informátlón hildings and 
| : | | travel document | assess admissibility. 


enne SS VEE A A ettet ee e te We te s een oinin nee re aaiae a a aja nee eine ee nn ie ate e ne canine En RARE RER IRR deua ht a dune RER RR AP diss à a à à à à D ave AR ARR SR à a ao MAE NAAR E MA a ea do à 


| Date of birth Date of birth . 1) Day of birth : Electronic | Derived from the | Fo identify travellers in existing CBSA m— holdi ings and d55ess admissibility. 
| | 2} Month of birth : | travel document : 


3} Year of birth 


| Citizenship, j , Citizenship / . 1) Citizenship / nationality of | electronic 2 Derived from he ; To document border crossing; identify travellers in existing CBSA information holdings and 
Nationality . Nationality traveller | | travel document or assess admissibility. 
| entered manually by — 
E officer. 


| Gender Gender | Genderol Traveller : Electronic 7 | Derived from the : To identify travellers in existing CBSA information hol dings. 

: : | travel document or — — 
| entered manually by 
| officer. 


T X PA MM CMM EE ELLE EEE M RR De ea aa a SERRE: 


: travel Document : Travel Document : 1) Document Type Electronic : Derived from the - To dasun bardes crossing: identify travellers i in existing CBSA information holdings and 
; Information (may Information | 2) Document Number | travel document or | assess admissibility; to verify the validity and authentication of the travel document. in the 
_ be their Passport) j i entered manually by past, a CBSA officer would manually verify the travel document, 

: | officer. i 


- 3} Document Country of issuance 
| 4) Document expiration date 


; Name : Middle Name Electronic | Derived fom the | To document border crossing; identify travellers ir in existing CBSA information holdings and. 
| | | travel documentor assess admissibility. 

| entered manually by 

officer. 


Canada Border Services Agency 


iid Exit Wireless Handhelds 


| eTA, VISA, TRB 


| Information 


Risk Abieksimont 


| | Resuits 


Membership 
_ (NEXUS Fast etc.) 
_ Information 


aman sents, ONIN LOTT Aie aa ae eee cine ee ag eee ee 


; Licence plate 
: number and 
| province/state 


CO LANTA PET ER RARES RER RS ARS LENS erica 


| Information related 
| to previous 
: enforcement, 


2 Membership status 
| (expired etc}, 
; photo and number, 


Canada Border Services RM 


| ijNumber 
| 2)Province/state 


| eTA: whether on file 
- VISA: whether on file 
- TRB: photo, document number 


_ Information related to previous 
| customs, immigration or criminal 
enforcement activ 


- Membership status (expired etc. " 
| photo and number. 


| Electronic 


ity. 


: Electronic 


| Entered n manual ally by 
_ officer. 


| Retrieved from back 
: end database. 


Retrieved from back 
; end database, 


Retrieved from back 


| end database, 


VR USE ERA. 
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| To determine ifi immigration requirements have been met. 
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Diagram 1 
The following diagram has been included to show information flow in the operational context. The 
infrastructure has been simplified for this purpose. 


Note* MDM (does not 


process traveller 


Z i 


BSO enters and submits am 

traveller and - 
conveyance details into | S 
mobile device. i 


Traveller and/or conveyance 
arrives at the border and gives a 
BSO their travel document. 


850 makes the decision te | 
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7 Data trasmitted ^ 
^ia Wi-Fi ar cellular 
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Diagram 2 
The following diagram is an overview of the respective components/services which will be leveraged for 
supporting the infrastructure the Entry/Exit hand held project is dependent upon. The PILSERVICESYNC service 
has been added for reference only. Its inclusion is intended to depict the eventual connectivity requirement. 
MDM Services for device management. 
Netmotion Services for secure connectivity. 
Active Directory (AD) Services for secure auditable device authentication. 
Malware/intrusion Detection System/Patch Management Services for alignment of new infrastructure with 
existing security safeguard mechanisms. 
Monitoring Services for alignment of new infrastructure with existing monitoring/alert mechanisms. 
Network Services leveraging of both existing services and newly implemented GC Wifi services. 


PILSERVICESYIVC Services for reference to target business risk assessment services. 


Devices policy and softurare 
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Diagram 3 

This service will leverage the current Government of Canada (GC) Wi-Fi service with cellular as back up 
in most cases and cellular as the main connectivity type at a few locations. The GC Wi-Fi service has 
been configured in such a fashion as to provide Wi-Fi coverage which meets identified CBSA areas of 
operations. MDM services will provide device security and standardization via SOTI MobiControl 
services, reporting, and allow the CBSA to remotely manage the fleet of devices. Net motion services 
will permit secure connection of the data via an encrypted tunnel. Connectivity will be supported from 
both GC Wi-Fi and cellular connections. Net motion adds an additional level of security to the remote 
PIL function by encrypting the data in motion. 
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2 Data Flow Model - Table 


TU ROIS GRR Re A EIER PRETI EIE IATER donnee da nn ati AIH STS: 


The individual o ora a representative. A traveller o or r their legal řepresentativen may request their | 
| own information. 


“CBSA Information Holdings CBSA Information holdings such as: | 
œ integrated Customs System (ICS): An umbrella system - 
: used for storage of traveller details to account for | 
| passage history~ CBSA PPU 008. : 
: + integrated Custom Enforcement System (ICES) — CBSA | 
| . PPU 016. Data from the following programs is 

accessed through ICES: 
o Criminal investigation Program ~ CBSA PPU 1402; 
and 
: o Intelligence Program — CBSA PPU 035. 
+ interdiction and Border Alert System (IBAS). Data 
2 from the following programs/systems is retrieved 
through IBAS: 
o Immigration | investigations Program — CBSA PPU 
1403 
o Enforcement Information Index System (EHS) — 
CBSA PPU 025 
o Document Integrity Program — CBSA PPU 1404 
The Lost Stolen Fraudulent Document (LSFD). 
*Immigration related data is retrieved from 
Global Case Management System (GCMS) through 
IBAS. | 


ETHER 


E 
E 
E 
H 
H 
H 
H 
H 
i 
i 
i 
| 


| Royal Canadian Mounted Police A subset of Wants and Warrants from Canadian Police 
| Information Holdings Information Centre (CPIC) is sent to ICES (CBSA PPU bond 
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The individuale ora representative _ An individual or their representative may request their 
| own personal information, 


——— PER 
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ound 


Shit RUE RO Los Ru et Ee oaa a eid PASE RA Ron S MS unt et OE EE E eios a duda eaa ep aM deh oc Soi RS cue dc.title DLL LAE KS EN NER M tise MASS LUNA AS a DASA nent Maa RR oa Nate QT STE p S ETOS OTS CU Men een ale vegan AR ELE 
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Ca nada Bordér Services Agency - Files are —— fors seven years frm the date of the traveller's 

Integrated Customs System (ICS), entry to Canada, as identified by the traveller's passage time, 

Passage History database recorded by the device. This reflects existing retention periods for 
| traveller processing. After this pe riod, the records a are destroyed. 
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m 


MEME" ——————————————————————————ÁÁ ' EE — ———— —á———!— ECL JpE———ÓÁ— AAO PEON LIEN 


"Identify Groups or Areas / or Divisions _ Positions who have access or use the — | Geographical Location 
oo i formation {where appropriate) j 


RO ETES RER ii TEE d a AR e 


| Information, Science and ar | Approxi imately 20-25 staff members in National Capital Régióh 
| Technology Directorate | a production support role, responsible 
: | for receiving incidents and requests 
from end-users, analyzing these and 
either responding to the end user 
with a solution or escalating it to the 
other IT teams. These teams may 
include developers, system engineers 
and database administrators handling 
| System issues. 


: Barges Operations Directorate Border Services Officers, National 
2 interns/students, Superintendents, - 

Chiefs of Operations at ports of entry 

"s. | where handhelds will be depl aic 
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SECTIONS rene TE: PT a 


Has a legal authority been identified for the collection of personal information for this program or activity? 


| Yes 
11 Dd Specify the legal authority and briefly explain its connection to the program or activity or how it 
| permits the collection of the personal information: 


Canada Border Services "rey 
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ce aa ae i a 


413 [ ] If there is no legal authority for the collection of personal information, it cannot be collected. Please 
| consult your legal advisor to determine if there is authority to proceed with the program or activity. 


Necessity to Collect Personal Information. 


Is each element and sub-element of personal information collected or to be collected necessary to | 
administer the program or activity? | 


is 


LS OZ Ensure that all personal information necessary to administer the program or activity is listed in the 
relevant PIB. 


2.2 x €} AND, implement controls and procedures to ensure the CBSA does not collect more personal 
| information than is necessary for the identified program or activity and that a continuing need exists 
for that information or its collection. 


: 2.3 Are secondary uses contemplated for the information collected? 


<i ves [ ] NO 


The use of the information for enforcement (if required) is internal to the CBSA and disclosures to other 
government departments as required and permitted by law. These uses are documented in the Personal 
| Information Bank. 


2.3.2 If not, is there authority for the use or disclosure of the personal information? 


[]vts CINO 


| 2.3 a Review the proposed elements and sub-elements of personal information outlined in "Section 3 — 
| Analysis of Personal information Elements" to identify those that are "necessary" and not merely 
| useful. Document any changes. 


_| Collection of the SIN must be in compliance with the Directive on Social insurance Number (please 
SETS d check all app ropriate boxes below): 
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- OR, in the absence ofa legal authority to coll ect the SIN: 
à 3 2 Establish expl icit uto Ms yen idi) 
AN ND, if disclosure of the SIN bun the CBSA is to occur on a routine or systematic basis | | 
3.4.1 [] to another federal institution that is authorized to collect it, or to another level of government, | 
establish an agreement or arrangement that includes specific provisions to limit the use of the 
SIN. 
3.42 [| to a contractor or other external service provider, establish a contract that includes specific | | 
: provisions to limit the use of the SIN | 
E 5 [| AND, ensure that the relevant PIB for the program or activity states the authority under which the | 
: SIN is coliected and the purpose for which it is used. : | 
.6 DX] The SIN is not necessary and it will not be collected, used or disclosed to administer the program or | 
activity. : 


| js personal information collected directly from the individual to whom it relates? 

| YES 

4.1 | | A "Privacy Notice" (adapted for either verbal or written communications) must be provided to the 

| individual at the time of collection and it must include the following elements: 
a) The purpose and authority for the collection 

: b) Any uses or disclosures that are consistent with the original purpose. 

| c) Any uses or disclosures that are not related to the original purpose 

d) Any legal or administrative consequences for refusing to provide the personal information 
e) That the "individual to whom the information relates" has rights of access to, correction of and 
duis of persona A under the ben Act. 


g) Why thet SIN i is weht how it will ile e used and the consequence of not providing it. 


AND, add a "Consent Statement" to the "Privacy Notice" as appropriate, if the personal information is to | 
be used or disclosed for a purpose other than the original purpose (Secondary Use) or a consistent use, —— 
or, to authorize indirect collection of personal information. 


| 4.2 | ] The "Consent Statement" must include the following elements: 
| a) The purpose of the consent and the specific personal information involved. 
b) In the case of indirect collections, the sources that will be asked to provide the information. 
(This element need only be included when personal information is to be collected from another 
source eg. sie or Bi aa ut with the consent of the HOMINUM 
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which consent is being sought. 


(This element need only be included when the individual's consent is sought for a secondary use or 
disclosure that is not consistent with the original purpose for which the information is collected. To 
find out if the individual's consent is necessary for such a use or disclosure, please consult the ATI 
and Privacy Division) 
d) Any consequences that may result from withholding consent. 
e) Any alternatives to providing consent 


4.3 | | AND, implement controls and procedures to ensure that the CBSA keeps a record documenting 

| whether or not an individual provided consent when it was sought, including a record documenting 
any withdrawal of consent when applicable. 

. **Ensure to provide the "controls and procedu res" as an annex to this PIA** 


Tis Standards and mechanisms are in fons to ensure that the individual has capacity to give 
consent. 


: **Ensure to provide the “standards and mechanisms" as an annex to this PIA** 


individ al. E is collecte indirect y, "for ixi n frat another program within the shi or fram 
another institution, government or third party. 


is personal information collected indirectly from another source with the informed consent of the individual | 
| to whom it relates, or from a person authorized to act on behalf of the individual pursuant to section 10 of 
the Privacy Regulations? 


| 5.1 [| | The notice and consent requirements stated at Question 4 apply. Please provide the "Privacy Notice" 
| and/or "Consent Statement” below: 
**For a copy of the CBSA Privacy Notice and Consent Statement template, contact the ATI and 
: Privacy Division** 
5.2 | ] AND, implement controls and procedures to ensure the CBSA keeps a record documenting whether 
| or not an individual provided consent when it was sought, including a record documenting any 
withdrawal of consent when applicable. 


 **Ensure to provide the “controls and procedures" as an annex to this PIA** 


5.3 || AND, if information is being collected from persons authorized to act on behalf of minors, 

: incompetents or individuals who have been deceased for less than 20 years, implement appropriate 
mechanisms to ensure that such persons are authorized to act on behalf of individuals who do not 
have the capacity to provide consent. 
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6. Indirect Collection - Without Notifi cation and Consent | 
is personal information collected from another source without notice to or consent me the individual to | | 
whom the information relates? : | 
: YES : 
6.1 |_| Where information is collected indirectly under any of the following circumstances without notice to, _ 
: or consent from, the individual to whom it relates, please check the applicable boxes and explain as 
me d | | 
a) The collection is a result of a disclosure to the CBSA under subsection 8(2) of the Privacy Act. | 
State the app licable paragraph(s) of subsection 8(2) and provide a brief Beginn e for each: | | 
[ ] b Direct t notification of the individual might result in the collection of inaccurate mformatión, or. 
might defeat the purpose or prejudice the use for which the information is collected. Briefly 
explain why notice is not provided: (For example, certain kinds of lawful investigation might 
be jeopardized if the investigators were required to notify the individuals who were the 
p of the investigations before co: E information indirectly from other: sources. À 
c) T he information i invo ed i in ithe program: or " activity i is to be used solely for a non- 
administrative purpose in which no decisions are made about the individuals to whom the 
| information relates. {This includes research, statistical, audit or evaluation purposes.) 
| 6.2 | 1 AND, if any of the circumstances in a) b) or c) is applicable, ensure that it is reflected in the relevant 
| PIB. | 
| AND, if the information is to be used solely for a non-administrative purpose (box c above has been 
checked), ensure that the requirements under sections 6.3.2 and 6.3.3 of the Directive on Privacy 
impact Assessment have been met, and that the decision of the official responsible for section 10 of 
the Privacy Act to proceed with a CBSA PIA for the program or activity has been adequately 
documented in the description of the program or activity in "Section 1 - Overview and PIA Initiation" 
| of the CBSA PIA. 
_6.4 [ ] OR, if none of the circumstances in a) b) or c) is applicable, then the personal information must be 
collected directly from the individual, or indirectly with the consent of the individual. Please review 


the responses to Questions 4 and 5 and ensure that the "Privacy Notice" or the "Consent 
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source within notice vie or consent from, the individual ora person Ia toacton i berali ofthe 
individual. 


. 7. Retention and Dis, osal of Personal. information 


Has Library and Archives Canada approved a records retention and disposal schedule that applies to the 
personal information? 


| Please identify the Record Disposition Authority (RDA) and describe the retention and disposal 
- schedule: 
x) AND, implement controls and procedures to ensure that personal information used to make a 
decision that directly affects an individual will be retained for a minimum of two years after the last 
administrative action or, where a request for access to the information has been received, until such 
time as the individual has had the opportunity to exercise all his/her rights under the Act. 
7.3 [_] AND, if the CBSA intends to dispose of personal information that has been used for an administrative 
: purpose prior to the expiration of the two-year minimum retention standard established by the 
Privacy Regulations, it must obtain the consent of the individual to whom the information relates 
before doing so. 
2.4 DX] AND, the CBSA must cite the RDA number, the retention period and the disposition standards for the 
personal information in the relevant PIB. 


. Details: The RDA listed in the PIB is 2000/033, which is an active Records Disposition Authority confirmed 
- through the Library and Archives Records Disposition Authorities Control System. While the terms and 

| conditions list only the Customs Branch of the Canada Customs and Revenue Agency, the authorization 
portion of the RDA listing includes records collected or held by the CBSA. 


The RDA terms and conditions are generic in nature, requesting only that records that are considered to have | 
archival value be transferred to LAC and enable the CBSA to set the required retention period and related 2 
destruction for records that are not archival in nature. | 


The retention period for information collected via the handheld will be aligned with the retention period for 
| passage history (Le. seven years). 


2 NO 
: 7.5 |_| Provide a Records Disposition Submission to Library and Archives Canada describing the records 
containing the personal information for which the institution requires a RDA. 
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7.6 [ ] AND, obtain a RDA from Library and Archives Canada to allow the CBSA, under certain conditions, to _ 
dispose of records that no longer have operational utility for the program or activity. 


| AND, ensure that all the other applicable requirements listed under "YES" at Question 7 are met, | 


diet nent RS eee at etu 


: " " mum of — ——À O———— — "————— a 


AA ———————————————————————————————————————ÓÁ——  —— NAME 


. Will measures be adopted to ensure that personal information used by the CBSA for an administrative 
: purpose is as accurate, up-to-date and complete as possible? 
YES 


. 8.1 Please check any of the following measures that will be adopted to ensure accuracy of the personal 
information and provide details as requested: 


8.11 [X] Personal information will be collected directly from the individual to whom it relates or it will be 
validated with the individual or a person authorized to act on behalf of the individual. 
Aj À data-matching process will be used to verify the accuracy of personal information against a 
"reliable source" (within or outside the CBSA) where this is authorized, or where consent was 
obtained. 


8.1.3 | | in cases where direct collection or consent is not feasible, the CBSA will obtain information from 
trusted sources (public or private) and verify accuracy against existing personal information 
before use. 


8.1.4 D Technological methods will be used to identify errors and discrepancies. 


L2 | | AND, if measures are adopted other than "direct collection or validation with the individual or with a 
person authorized to act on behalf of the individual", the CBSA must implement appropriate controls 
and procedures to ensure that: 

a) the technique(s) and the specific source(s) used to validate or update the personal information 
are documented; ; 


b) individuals are given the opportunity, whenever possible, to request correction of any inaccurate 
personal information before the information is used in a decision-making process that affects 
them; 

c) personal information can only be modified or corrected by those within the CBSA who have the 
authority to do so; 

d) when personal information is corrected or annotated, the record of personal information 
indicates the date of the last correction or annotation and the source of the information used to 
make the correction or annotation; and 


d) when personal information is corrected or annotated, other authorized holders of the - 
information are notified about the correction or annotation and that all copies af the information | 
in the possession of the CBSA are corrected / annotated. : 
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Details: 


To minimize errors technologies that provide the capacity to electronically capture traveller details from | | 

. documents have been included in the device. This includes MRZ, barcode and mag stripe reading. 

— Personal information collected with the handheld will be verified through querying existing CBSA information 
holdings, such as: Customs Enforcement System (ICES) and Interdiction and Border Alerting System {IBAS}. 
Discrepancies may result in a referral to secondary processing. 


Explain why such m measures s will not be adopted: (This information i is s mandatory) 


Will the personal information collected for the program or activity be used solely for the original purpose 
: for which it was obtained or compiled, a use consistent with that purpose, or a purpose for which the 
- information was disclosed to the institution pursuant to subsection 8(2) of the Privacy Act? 


^x] Y 


| 9.1 DX] implement controls and procedures to ensure that access to the personal information for such 
ieee will be limited to authorized individuals who need to know the information to perform their. 


| AND, ensure that the "Data Flow Diagram" or "Data Flow Tables" completed for "Section 4 — Flow of 
Personal information" of the CBSA PIA identify the areas, groups and individuals (e.g., the positions) 
within the CBSA who have a need-to-know to access to or handle the personal information, including ` 
their geographical location and where the personal information will be stored or retained. : 


LX] AND, if the purposes for which the personal information is used includes any use(s) of the 
information for a non-administrative purpose, (such as research, statistical, audit and evaluation 
purposes) the CBSA will adhere to the requirements and principles in the CBSA Privacy Protocol For 
Non-Administrative Purposes (2012), in accordance with section 6.2.15 of the Policy on Privacy 

| Protection, to address any impact that such non-administrative uses may have on privacy. 


9; 4 | | Identify below any other uses of the personal information, in other words, any routine uses that are 
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not directly related to the purpose of the collection, or, which are not consistent with that purpose 
or for which the information was disclosed to the CBSA pursuant to subsection 8(2) of the Privacy 
Act: 


Detail: 


| 9.5 ae AND, : ensure that these other uses are e refiectedi in the relevant PIB. (In accofdahce — bnc 


9(1) of the Privacy Act, if these other uses are not described in the PIB in CBSA Info Source, the CBSA 
is required to record each use on the individual's file. Describing them in the PIB is, therefore, a far 
more efficient practice ~ see Question 11.) 

AND, include a description of these other uses in the "Privacy Notice" or "Consent Statement", as 
appropriate, 


| Will personal information be disclosed for purposes directly related to the administration of the program or | 
activity? 


YES 


| 10.1 DX] Please check all applicable boxes below and, for each disclosure, identify the name of the 


organization or third party to which personal information will be disclosed. If it is disclosed within the | 
CBSA, please identify the branch and the program or activity. 
10.1.1 a Within the CBSA for another program or activi 


10.1.6 0 The private sector — contractor or other external service provider) 
10.1.71] Other 


: 10.2 X AND, ensure that: 


a) any such disclosure is made in compliance with section 8 of the Privacy Act, which allows 
disclosures of personal information with consent of the individual to whom the information 
relates (subsection 8(1)) or without consent in certain and limited circumstances pursuant to 
subsecti ion 8(2) of the Act 
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b) only personal information elements that are necessary for the intended purpose are disclosed; 

C) the organization or third party receiving the personal information is authorized to do so; - 

d) administrative, physical and technical safeguards appropriate to the sensitivity of the information 
will be applied to protect the information during and after its transmission (see Question 15); 

e) the organization or third party to which the personal information will be disclosed for the 
administration of the program or activity are identified in the "Consistent Use" section in the 
relevant PIB in CBSA info Source, including the specific purpose of the disclosure; 
the "Privacy Notice" or "Consent Statement" describes any disclosures of information; 

f) the “Data Flow Diagram" or "Data Flow Tables" completed in "Section 4 — Flow of Personal 
utei of the CBSA PIA include details on the disclosed personal information: 


nee ndi ing, an eet a each (à arrangement ete. Eo ensure 2 that appropriate privacy 
protection clauses are included, and, where applicable, include provisions for inter-jurisdictional or 
transborder flows of personal information. Such clauses must cover the following topics: 


a) Control over personal information, where appropriate. | 

b) Limitations on the collection, retention, use and disclosure of personal information. 

c) Measures (administrative, technical and physical) to protect the integrity and confidentiality of 
personal information. 

d) Measures governing the disposition of the personal information, where relevant 


P e) Measures to ensure or verify that the personal information is only used for the purposes related | 
: to the agreement, arrangement or contract. 


f) Obligations are to be extended to other parties such as subcontractors. 


- NO 
| 10.4[ ] There is no disclosure of personal information within or outside the institution for purposes that are 
: directly related to the administration of the program or activity. 
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- 11. Accounting for New Uses or Disclosures No st t Reported in CBSA In 1 fo Source 

| Will controls and procedures be implemented to account for any new use or disclosure of the personal 

| information that is not included in the relevant PIB published in CBSA Info Source? 

| YES 

|. 111 [X] Appropriate controls and procedures have been or will be implemented to ensure that: 

a) the head of the institution (The ATI and Privacy Director) or the appropriate delegate is notified 
about any new use or disclosure of personal information that is not reflected in the PIB 
description published in CBSA Info Source; 

b) the consent of the individual to whom the information relates is obtained in writing, as 
appropriate, prior to any new use of the information for an administrative purpose that is not 
reflected in the relevant PIB published in CBSA info Source, unless the new use is considered to — 
be consistent with the purpose for which the personal information was obtained or compiled and 
the Privacy Commissioner is notified, by the CBSA ATI and Privacy Director, forthwith regarding : 
the new consistent use; | | 

C) except as permitted under subsection 8(2) of the Privacy Act, any disclosure of personal 
information for a purpose that is not reflected in the relevant PIB published in CBSA Info Source | 
will only be made with the consent of the individual to whom the information relates; : 

d) arecord is kept for any new use or disclosure of personal information not described in the 
relevant PIB published in CBSA info Source, and that this record is stored with the personal 

T information to which it relates and retained for a minimum period of two years following such a 
use or disclosure; 

e) if the information is disclosed to a federal investigative body under paragraph 8(2Y(e) of the : 
Privacy Act, the record of disclosure will be kept in a separate PIB for a period of two years where - 
it will be available to the Privacy Commissioner for review upon request; - 

f) the Privacy Commissioner is notified, by the CBSA ATI and Privacy Director, forthwith, as required 
under subsection 9(4) of the Act, of any new use or disclosure that is consistent with the purpose | 
for which the information was obtained or complied, but which is not reflected in the relevant | 
PIB published in CBSA Info Source; 

g) the relevant PIB is amended in time for the next edition of CBSA Info Source to include any new 
use(s) or disclosure(s) that are consistent with the purpose for which the information was 
obtained or compiled, as well as any routine use(s) or disclosure(s) that do not fall within the 
categories of purpose of collection or consistent use; and 

h) the Privacy Commissioner is notified, by the ATI and Privacy Director, prior to or forthwith, as 
required under subsection 8(5) of the Act, about any disclosures made or to be made in the 
public interest or in the interest of the individual to whom the information relates. 

i) Other 

an 2 a. pl ease D why such controls and procedures will not be implemented - 
| i adequate justification. 
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| Has a Statement of Sensitivity (SoS) or similar analysis been completed to assess the degree of sensitivity of 
the personal information to be collected and retained for the program or activity? | 


YES 
| 12.1 DX] The information contained in the SoS or similar analysis has been taken into account when assessing 
| the level of risks to privacy in “Section 2 - Risk Area identification and Categorization” of the CBSA 

| PIA. 


NO. 
122] Please explain why a SoS or similar analysis was not considered necessary to assess the sensitivity of 
- the information. 


| Has a Threat and Risk Assessment (TRA) or a similar security assessment been completed for the program or | 
| activity? (Input to this section must be coordinated with and reviewed by CBSA —IT - Security Directorate) : 


VES 
| Reference the title of the TRA or other security assessment in “Section 6 — Supplementary 
Documents List" and provide a brief sci un of the assessment in the Space below: | 


l 13. 2| | AND, obtaja: assurances from the officials responsi e for ther program or r activity that the measures 
| recommended in the assessment have been implemented to ensure the confidentiality, availability 
and integrity of the personal information. 
| 13.3 [_] AND, ensure that any residual risks to personal information are known and accepted by the 
executive or senior official responsible for the program or activity and the Head or delegated 
authority for the Privacy Act. (ATI and Privacy Director) 
: 13.4 X Dx] | ifa TRA or similar security assessment is underway, simply reference that fact in the space below and ; 
: indicate when it is likely to be completed. If there is no intent to complete o one, please explain. 


review of the wirele: 
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| Please identify below any administrative, physical and technical safeguards in place, or to be implemented, 
_ for this program or activity to ensure the confidentiality, availability and integrity of the personal 
| information. 


| Please check all that apply, including safeguards identified by the TRA or similar security assessment. 


14. 1 Administrative safeguards 

[X] Internal security and privacy policies and procedures 

[X] Staff training on privacy and the protection of personal information 

X] Screening and security checks of employees 

| Appropriate security levels for employees who will have access to personal information 

X| Contingency plans and documented procedures in place to identify and respond to security and 
privacy breaches, and to communicate security violations to the data subject, law enforcement 
authorities and relevant program managers 


><] Regular monitoring of users’ security practices 
| Methods to ensure that only authorized personnel who need to know have access to personal 
information 


[X] After hours alarms and monitoring systems 
[ ] Locked filing cabinets 

Combination locks 

Video surveillance (closed-circuit television) 
x Qj Secured server locations 

x Backups secured off-site 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Entry/Exit Wi reless Handhelds | PIA 


Man. ee ee 


Role-based user authorization and authentication 


[X] Session-time out security (automatically locks an account after a session has been idle for a 
specified amount of time) 

= Firewalls 

E ionis Private Network ie 


= pane of Canada Public Key Infrastructure Certificates (PKI) ! 
Je Externa! Certificate Authority (CA) | 


Will the information system(s) used to deliver the program or activity employ cookies or other tracking 
technologies to collect personal information about users and their transactions? 
YES 
15.1| ] The specific tracking technologies to be used is adequately described under Part 6: Technology and. 
Privacy of "Section 2 — Risk Area Identification and Categorization” of the CBSA PIA; 


| 152 [ |] AND, the collection of any personal information using such technologies is reflected in the relevant 

: PIB and in “Section 3 ~ Analysis of Personal Information Elements" of the CBSA PIA; 

| 15.3[ ] AND, the use of such technologies to collect information about users and their transactions is 

: adequately reflected in the "Privacy Notice"; 

15.4| ] AND, those responsible for implementing and using tracking technologies to collect personal 

| information or who may have access to personal information collected through these methods are 
made aware of RATS and iid Sip ossis: 
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minimum of two years after the last administrative action as required under the Privacy Regulations. 


: NO 
15.6 Tracking technologies are not used to collect personal information about users. 


| Privacy - - Surveillance c o Monitorir 


. Will the new or modified program or activity result in new or increased surveillance or monitoring of a 
_ targeted population? 


| YES 

16.1] ] Consult with your legal advisors to determine whether or not such surveillance or monitoring 

! activities raise any issues relating to the Charter of Rights and Freedoms, the Privacy Act or other 
applicable acts. 

| And, ensure the surveillance or monitoring method(s) to be used, the characteristic(s) of the 

targeted population and the scope of the surveillance or monitoring are adequately described under 
Part 6: Technology and Privacy of "Section 2 — Risk Area Identification and Categorization" of the 
CBSA PIA. 

_| AND, any personal information callected or created as a result of such surveillance or monitoring is 
described in the relevant PIB and in Section 3 ~ Analysis of Personal information Elements" of the 
CBSA PIA. 

| AND, the collection or use of personal information through surveillance or monitoring is adequately 
reflected in the "Privacy Notice", unless such notification might result in the collection of inaccurate 
information or defeat the purpose or prejudice the use for which the personal information is 
collected. 

ED if notice about surveillance c or PERONO? will not be provided. 


- 16.5 E AND, those responsible for implementing and using such surveillance or monitoring method(s) or 
2 who may have access to personal information collected or created through these methods are made 
aware of privacy and security policy requirements. 


| NO 
| 16.6 The new or modified program or activity will not result in additional surveillance or monitoring. 


PR ———————————————————————————————————————————PHáá—— 3 


Does the program or activity involve compliance/regulatory investigation or law enforcement, surveillance 
_ or intelligence gathering that targets specific individuals against whom penalties, criminal charges or 
| Sanctions may be applicable? 


Canada Border Services Agency 


rtu de la loi sur l'Accès à l'information 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Entey/Exit Wireless Handhelds 


PIA 


1715 Consult with your legal advisors to determine whether or not the compliance/regulatory 
| investigation or law enforcement activities raise any issues relating to the Charter of Rights and 
Freedoms, the Privacy Act or other applicable acts. 


[ 17.2 [X] AND, identify the legislative authority and the specific regulatory or law enforcement purpose 
| involved: 


| 17.3 [] AND, if the legislative authority differs from the legal authority for the program or activity, ensure it 
- is adequately reflected in the response to Question 1 of "Section 5 — Privacy Compliance Analysis" 
and in "Section 1 ~ Overview and PIA Initiation "of the CBSA PIA. 


pus icément survei dillaite 0 or i intelligënce gathering program. or ractiditiyi is es, in the —— 
| PIB and in "Section 3- — Analysis of Personal Information Elements" of the CBSA PIA, 
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| 175| | | AND, the collection or use of personal information through these compliance 7 regu latory - 

| investigation or enforcement activities is adequately reflected in the "Privacy Notice", unless such 
notification might result in the collection of inaccurate information or defeat the purpose, or 
prejudice theu use, for which the personal information i is s collected. 


If notice about the compliance/regulatory investigation or law enforcement activities will not be 
provided. 
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ecommendations 


(Ljow: There is a remote possibility that the risk will materialize and/or the impact of the risk to the 
program is minor. 

(M)oderate: The possibility of the risk materializing is very low although the impact of such a risk is high, 
OR the possibility of the risk materializing is high but the impact of such a risk is minor, OR the impact 
and likelihood of the risk occurring are both determined to be moderate. 


(H)igh: There is a near certainty that the risk will materialize if no corrective measures are taken and/or - 


the impact of the risk on the program is severe. 


Necessity to Collect Personal Information 
No risks identified. 


Authority for the Collection, Use or Disclosure of the Social Insurance Number 
No risks identified. 


Direct Collection - Notification and Consent 
1) Signage notifying all travellers that their information will be collected is not in place at all ports 
of entry. 
Mitigation: Given information collection at our POEs is an ongoing activity this risk requires 
resolution at a level much larger than the Wireless Handheld project. 
Risk Rating: Minor 


Indirect Collection - Consent or Authority under Sec. 10 of Privacy Regulations 
No risks identified. | 


Indirect Collection - Without Notification and Consent 
No risk identified. 


Retention and Disposal of Personal Information 
1) CBSA retention period for data collected via traveller processing in this case is 7 years. 
Mitigation: CBSA to conduct a review of the retention period for information collected via 
traveller processing, and explore the possibility of aligning the traveller processing records for 
entry, which are currently retained for seven years, with the retention period for Entry/Exit 
initiative (exit records), which is set for 15 years retention past the point of collection. 
Risk Rating: Minor 


Accuracy of Personal Information 
No risks identified 


Use of Personal information 
1) Concerns could be raised regarding the use of data collected. 
Mitigation: All data collected is used in accordance with established parameters. Data collected 
is collected under the legal terms of the Customs Act. 
Risk Rating: Minor 
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Disclosures Directly Related to the Administration of the Program or Activity 
No risks identified. 

Accounting for New Uses or Disclosures Not Reported in CBSA Info Source 
No risks identified. 


Safeguards 
1) IPIL access is available at most sites where the handheld devices will be deployed. Using 

the handheld device rather than IPIL increases the risk to the personal information of 
travellers. 
Mitigation: At these sites handhelds represent an essential tool to allow officers to stay with 
travellers, thereby increasing security and control of the situation for both travellers and 
Officers. The risk to the security and control of the situation outweigh the risks to the 
information of travellers. | 
Risk Rating: Minor 


2) CBSA project processes stipulate Security Assessment Report (SAR) as the approved 
Agency project document instead of a Threat and Risk Assessment (TRA). The Security 
Assessment Report is underway. 

Mitigation: The SAR is underway ~ resourcing issues may impede its completion. 

Risk Rating: High 


SUR 3) Devices could be misplaced or stolen. | 
Mitigation: While a device may be misplaced or stolen several items limit the risk associated 
to this loss: 

a. In 9996 of circumstances there is no information stored on the device. 
b. Anyinformation on the device will be encrypted (info on device only in rare 
circumstances). 

Device access is restricted with a PIN and/or user ID and password. 

Devices will wipe with 11 failed password attempts. 

Device can be located, locked and wiped remotely. 

Device will have 'if found' messaging and contact information to facilitate safe 

return. 

Risk Rating: Minor 


ToO» noo 


4) interception of Wireless Transmission. 
Mitigation: Data in wireless transit via Wi-Fi or cellular will be encrypted thereby limiting 
risk. in addition there is intrusion detection system. This means that should a non- 
authorized user try to connect to the network it will be detected and shut down the 
connection. 
Risk Rating: Moderate 


5) Loss of Connectivity 
Mitigation: If connectivity is lost, it is possible in very rare circumstances that a device will 
have personal information on it. Connectivity is expected to be stable. All information would 
be encrypted. 
Risk Rating: Minor 


nte Ri 
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6) Cellular connections could roam to U.S. towers at some locations. 
Mitigation: This will be mitigated by eliminating the capacity for device signal to roam. 
Risk Rating: Minor 


7) Remote viewing by third party vendor for support via MDM. 


Mitigation: This will be mitigated by requiring notification and acceptance of the request for 


access by the user prior to the vendor remotely accessing a device. BSOs will be briefed to 
ensure that when remote access is granted to a third party vendor for support that no 
personal information is available on the device. In addition, all those with access will be 
security cleared to enhanced reliability. 

Risk Rating: Moderate 


Technology and Privacy - Tracking Technologies 
No risks identified. 


Technology and Privacy - Surveillance or Monitoring 
1) Acamera is part of the device and could be perceived to be used for surveillance or 
monitoring. 
Mitigation: The camera will be disabled and will not be available for use. 
Risk Rating: Minor 


Considerations Related to Compliance, Regulatory Investigation, Enforcement 
No risks identified. 
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uments used or related to the CBSA PIA may include: 


Info Source, Canada Border Services Agency Chapter 
Privacy impact Assessment, PIK, December 2016 
Custom Act 

Architecture and Design Specification (ADS) Part 1 
Architecture and Design Specification (ADS) Part 2 
Architecture and Design Specification (ADS) Part 3 
Architecture and Design Specification (ADS) Part 4 


© 9 ë ë * + p 


The following signature represents a The following signature represents a commitment 
| commitment to comply with sections 4 to 8 of by the Head of the institution or his/her 

the Privacy Act and the related privacy policy delegate(s) who is responsible for establishing 
ments outlined in the CBSA PIA as they personal information banks in accordance with 
section 10 of the Privacy Act. 


: reg qu dirà 
| 3 fa late "ds the ee the identified 


idu y Vice Président, Programs BK nch Dan Proulx, Director, A ccs to Information and 


Privacy Division 


MAY 31207 | 


Date | | Date 


/ Note: Responsibility for sections 4 to 8 of the Privacy Note: Under the Privacy Act, the Head or his/her 

| Act rests with all employees of government delegate(s) is responsible for complying with legal and 
- institutions that handle personal information. Officials relevant privacy policy requirements related to the 

| who manage such programs and activities are approval and registration of personal information 

_ responsible for ensuring that such requirements are banks 

| implemented as part of the administration of the 

| program or activity. 
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Privacy Compliance _ Action required to support legal and policy compliance | 
_ Malves question # (cross reference to relevant question of Section 5- Privacy done - 


1 Legal authority for the program or activity has been established and XS E 
is reflected in the relevant PIB. 


2 a) The categories and elements of personal information to be 
collected for the new program or activity have been carefully 
assessed based, for example, on the CBSA's experience gained 
with the administration of a similar program or activity. The 
personal data collected will be limited to only that which is 
required.) 

b) Categories and elements of personal information have been 
described in the relevant PIB for the program or activity. 

c) Controls and procedures will be implemented to ensure the CBSA 
does not collect more personal information than necessary for 
the program or activity and that a continuing need exists for the 
personal information and its collection. 


4 and 5 a) All of the requisite "Privacy Notices" and "Consent Statements" 
that meet the requirements of sections 6.2.9 to 6.2.12 of the D] 
Directive on Privacy Practices have been drafted. (Texts of the 
notices and consent statements must be included as an annex.) 


b) Controls and procedures have been implemented to keep 
records of individual consents, and to ensure that persons acting 


consent have the authority to do so under section 10 of the 
Privacy Regulations. 


7 a) A Records Disposal Authority (RDA) has been approved by 
Library and Archives Canada to authorize the disposal of the 
records containing personal information for the program. 

b) Controls and procedures have been implemented within the x] a 
program or activity and the CBSA ATI and Privacy Division to 
ensure that information that has been used for an 
administrative purpose will be kept for the minimum retention 5j [7 
period established by the Privacy Regulations. | bus 
c) Reference to the RDA, the retention period and the disposition 
standards for the program have been cited in the relevant PIB. 


8 Controls and procedures are in the process of being implemented to 
ensure that the personal information associated with the program is x E 
m as accurate, complete and up-to-date as necessary. 
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nness 


(cross reference 


(these considerations should be explored in the Executive Summary) 


individual's Access 


to 


Personal Information 


Chall 


enging 


Compliance 


Describe how the results of any privacy impact assessment or audit 
will be made available to the public. The Executive Summary will be 
published on the external CBSA ATI and Privacy Division website at 
http://www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia- 
efvp/atip-aiprp/pias-sefp-eng.html 


Are policies and practices relating to the proposal's management 
and handling of personal information available to the public? 


Is there a communications plan to explain to the public how 
personal information will be managed and protected? 


Is there a clearly defined and easy process for individuals to access 
such information and/or communicate with appropriate individuals 
with respect to policies and practices relating to management and 


Where appropriate, will public consultation take place on the 
privacy implications of the proposal? 


is the system designed to ensure that an individual can have access 
to his/her personal information, inciuding all other programs or 
applications that have received copies of the information? s. 12(1) 


Are there documented procedures developed or planned on how to | 


make privacy requests or requests for the correction of personal 
information? s. 12 (2) 


Are individuals provided with access to their personal information 
in the official language of their choice? s. 17(2) 


If appropriate, are individuals provided with access to their personal 
information in an alternative format? s. 17(3) 

Are the complaint procedures for the proposed program or service 
consistent with legislated requirements? s. 29-35 


To improve information management practices and standards, has 
a procedure been established to log and periodically review the 
nature, frequency and resolution of complaints? 


pq 
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y compliance : Done : Tobe 
(cross reference to relevant question of Section 5 — Privacy — Sone 


Compliance Analysis) 


Are there oversight and review mechanisms implemented or 
available to ensure accountability? 


Have oversight agencies, including the Office of the Privacy xX 
Commissioner, issued reports or opinions on issues that would be 
relevant to the proposal? 
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Immigration Enforcement Policy Unit 
Enforcement and Intelligence Programs, Programs Branch 


March 2017 
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Treasury Board Secretariat policy 
requirements (2010). 
incorporates more detailed privacy 
analysis to reflect expectations of 
| the Office of the Privacy 
| Commissioner (2011). 
User friendly with examples and 
explanatory notes. 
Includes an Action Plan for 
| implementing mitigating strategies. 
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| program and planned regulatory amendments for Ministerial relief, including the requirement that applicants 
| complete a standardized application form. 


Under existing legislation, foreign nationals who are believed to be or found to be inadmissible to Canada 
: under the Immigration and Refugee Protection Act (IRPA) on the basis of security, certain provisions relating to 
numan or international rights violations, or organized criminality may seek a declaration of relief from the 
Minister of Public Safety and Emergency Preparedness (Minister) under subsection 42.1(1) of the IRPA. If the 
Minister decides to make a declaration of relief, the original grounds for inadmissibility no longer apply. The 

. foreign nationals may then pursue temporary or permanent resident status without their applications being 

: rejected because of the same grounds of inadmissibility for which relief was granted. It is important to note 

| that the Ministerial relief process and the admissibility process are two separate processes and this PIA only 

| addresses Ministerial relief. The collection of data from the admissibility process is not impacted. 


| There is currently no formalized application framework for Ministerial relief. Foreign nationals typically 

| request relief by providing documentary submissions with varying degrees of relevance to a decision on 

, whether or not to grant relief. Currently, there are also no formal criteria establishing when a person may 

- apply for relief. Until recently, Immigration, Refugees and Citizenship Canada officers were directed to refer a 
| person for consideration for Ministerial relief and to await the outcome of the relief process prior to either 
rejecting their immigration application (i.e., temporary or permanent resident application) or referring 

| allegations of inadmissibility to the Immigration and Refugee Board (IRB) for determination. As a result, the 

| current Ministerial relief inventory includes applications from individuals who have yet to receive a final 

- decision on admissibility. This has resulted in resources being used to assess applications of individuals who 

| may not be inadmissible, and as a result, may not require Ministerial relief. Amendments to the Immigration 
| and Refugee Protection Regulations (IRPR) are designed to bring greater clarity, consistency and control to the 
| Ministerial relief application process, case intake and inventory management. These amendments will: 


* establish when a foreign national may submit an application (e.g., once a final inadmissibility 

determination has been made, including exhausting all legal challenges). This will allow the CBSA to focus 
resources on processing Ministerial relief cases where inadmissibility has already been established and 
upheld by the IRB or courts, and will effectively reduce the future intake of cases where MR is not 
required; 
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e allow the CBSA to return an application, unprocessed, when certain requirements are not met, 


e allow applications to be closed when an applicant does not respond to a notice requiring them to confirm 
| their intention to proceed with their application within the specified timeframe, or when other remedies 
have been obtained; | 


e require applicants to provide the Minister with updated address and contact information while 
applications for Ministerial relief are in process; and 


e address transitional cases (cases already in progress at the time the new framework is implemented) 

| impacted by the new regulations by clarifying which aspects of the proposed regulatory amendments 
would apply to those requests for Ministerial relief received prior to the coming-into-force of these 
proposed regulatory amendments. 


| The proposed regulatory amendments were pre-published in the Canada Gazette in june 2015. Final 
| publication is expected upon the regulations coming into force, after which use of the application form will be 
_ required for all new applicants for Ministerial relief. 


- Legislative Authority 
: Authority for this collection, use and disclosure of personal information is found in the /RPA [sections 15.1, 


| Scope 
| This PIA assesses the management of personal information collected, used, disclosed and retained by the CBSA | 
_ during the MR application process only. | 


| Necessary, Effective, Proportionate and Minimal 

The personal information collected, used, disclosed and retained under this initiative is necessary to support — 
: the Agency's research and advice to the Minister of Public Safety on the merits of an application for Ministerial : 
| relief. The proposed measures will augment the effectiveness of the MR application process by requiring the | 
| timely provision of information relevant to the assessment process. Collection and disclosure is minimized to 

: safeguard the rights of applicants, and to reduce the risk of a breach of their personal information. The 

| information collected under this initiative will be used to inform advice and recommendations to the Minister. 

| By prescribing a defined process, the use of an application form, limiting the time during which files remain 

: open, and applying a record disposition schedule, the CBSA believes the Ministerial rellef process impairs as 

| little as possible the privacy rights of the applicants. 


Protecting your Personal information | 
. The following personal information elements will be managed by the CBSA Ministerial Relief Unit (MRU): 


e The applicant's place of birth, gender, marital status, and the names of any former spouses or 
common-law partners; 


e The applicant's telephone number and email address, if any; 
e The applicant's former countries of citizenship or former countries of nationality; 


e The applicant's education, including the name and location of all elementary and secondary schools 
and post-secondary, technical and vocational institutions attended and the start and end dates for the 
periods during which they attended each school or institution; 
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name and address; 


e The applicant's international travel history beginning from the age of 16 years, including a list of the 
countries visited, the purpose of the visits, the dates and duration of the visits and any immigration 
status sought from or granted by any country visited; and 


* Whether the applicant was determined to be inadmissible under section 34, paragraph 35(1)(b) or (c) 
or subsection 37(1) of the IRPA, the date on which and the city and country in which the 
determination was made and whether the determination resulted in a decision referred to in 
paragraph 24.1(1)(a) or a removal order referred to in paragraph 24.1(1)(b). 


The above-listed information will be collected via a standardised application form BSF 766E (see attached) 
created by the CBSA, to be completed by the applicant and delivered to the MRU accompanied by any 
additional information the applicant feels relevant to the national interest assessment. 


- This information will be assessed, along with information related to the applicant and the activity in which 

| they participated or groups of which the applicant was a member that is in the control of the CBSA from the 

| former Field Operations Support System (FOSS), the National Case Management System (NCMS), the Global 

| Case Management System (GCMS), the Secure Tracking System (STS), Computer-Assisted Immigration 

| Processing System (CAIPS), Case Processing System (CPS), as well as any information from the Canadian Police 
| Information Centre (CPIC) that might be relevant. This information is assessed by analysts of the MRU and 

2 they will provide a recommendation and reasons to the Minister for a final decision on individual applications. 
| The recommendation, as well as the information used in support of the recommendation, is disclosed to the 

| applicant; any sensitive information provided by partner agencies will be redacted prior to disclosure to the 

| applicant. 


- Right of Access 

A privacy notification statement will appear on the application form explaining the reason this information is 

| being collected, how the information will be used, to whom it may be disclosed and how the applicant may 
make a complaint. When the CBSA has prepared a recommendation for the Minister, a copy of the 2 
| recommendation, and all information used in support of the recommendation (less any third party information | 
: that has been redacted), is provided to the applicant. The applicant is invited to make any additional | 
| submissions prior to the recommendation and associated documents being referred to the Minister for 
decision. Personal information collected will be retained for a period of 80 years or when the individual is 100 

| years of age and only after the file has been closed. 


| Applicants may formally request access to their personal information, or access to corporate records related to | 
| or created by the MRU by contacting the Access to Information and Privacy Division. More information about _ 
: this can be found at: http://www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia-efvp/atip-aiprp/menu- 

| eng.html. 


| Accountability | 
Applicants with concerns about the collection, use, disclosure or retention of their personal information may 
| issue a complaint to CBSA Access to Information and Privacy Division. Complaints should be made in writing, 
: and include the applicant's name, contact information, and a brief description of the concerns. Contact 

| information for the Access to Information and Privacy Division at the CBSA can be found at: htto:// 


immigrati ion, Refugees and Citizenshi ip Canada (formerly Ci Cit izenship "m 
migration Canada) | 
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Thi 5 section provi ides defini ti ions of the terms AT used in this report: 


Action Plan : | The Action Plan describes the steps that the Program will take to address ri sks that 
| have been identified by ATI and Pri IVacy Division, OPC and TBS. 


| Admis issi sible | An admissible person is a person who has been determi ned to meet the criteria ok 
- | the IRPA and the IRPR, and been determined not to be described by any of the 
| grounds of i inadmissi ibili ity described in the IRPA. 


| Administrative purpose | The Privacy Act defines an "administrative purpose" to be the use of an | indiv idual's 
| personal information in a decision-making process that directly affects that 
indiv idual. 


| Confidetitiality - : The Government Security Policy (2002) defines “conf dentia lity” to be the attri ibute 
- | that information must not be disclosed to unauthorized individuals, because of the 
: resulting injury to national or other interests, with reference to specific provisions 
| ofthe Access to information Act and the Privacy Act. 


| Consistent use is a use that has a reasonable and direct connection to the original —€—Ó } for 

: | which the information was obtained or compiled. This means that the original 
: purpose and the proposed purpose are so closely related that the individual would 
| expect that the information would be used for the consistent purpose, even if the 
use is not spelled out. 


| Data Matchin ng | Ac comparison of es data obtained koma a vari ae ots sources,  includin ing 

: - personal information banks, for the purpose of making decisions about the 

: individuals to whom the data pertains. Data matching is a specialized activity 

2 involving the collection, use and disclosure of personal information that is subject 
to the vari ous requi irements of the Privacy Act. 


A foreign national is a person who is neither a Canadian citizen, nor a permanent 
resident, and includes a stateless person. 


The IRPA establishes speci ific criteria by which a person may be refused admission 
| to Canada, or if already in Canada, may be subject to removal. An inadmissible 
: person may not be granted temporary or permanent resident status in Canada, 
: unless the IRPA allows for a specific remedy or exemption from the grounds of 
: inadmissibility. in dealings with persons who may be inadmissible to Canada, 
officers contro! the admission and/or allow for the presence of persons in Canada 
| by referencing the various inadmissibility provisions of the IRPA. Part 1, Division 4 
of the Act makes distinctions based on categories of inadmissibility related to: 
| œ criminality; 
e organized criminality; 
e security; 
e human or international rights violations; 
e health; 
e financial reasons; 
„e misrepresentatio 
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e non- compliance; 
e inadmissible family members. 


: A person may also inadmissible to Canada if they do not meet the criteria of the 
: status for which they have submitted an application (ie a work permit, a study 
: permi it, ora class of permanent resident). 


info Source. Is a series of annual Treasury Board Secretariat publications in which nan 
| institutions are required to describe their institutions, program responsibilities and 
| information holdings, including PIBs and classes of personal information. The 
| descriptions are to contain sufficient clarity and detail to facilitate the exercise of 
the right of access under the Privacy Act. Data-matching activities, use of the SIN 
| and all activities for which privacy impact assessments were conducted have to bé 
| cited in Info a PIBs, as applicable. The info Source publications also provide 
| contact information for government institutions as well as summaries of court 
| Cases and statistics on access requests. 


Minister's Delegate : The Immigration and Refugee Protection Act (RPA) authorizes the Minister of 

: : Public Safety and Emergency Preparedness (PSEP) to delegate certain decision- 
: making authorities to a Minister's delegate. In the context of an A44(2) review, a 
| Minister's delegate has been delegated the authority to determine whether an 
| inadmissibility report regarding a permanent resident or Mes national is well 
founded and may refer the report to the Immigration Division for an admissibility 
_ hearing, or, where the inadmissibility allegations fall w thi in the jurisdiction of the 
| Minister's delegate, issue the appropriate removal order. 


 Inadmissibility allegations for reasons of security, violations of human or 

: international rights, and organized crime fall solely under the jurisdiction of the 
| delegated officials of the CBSA, and the delegated authority to review those 

| inadmissibility reports can only be exercised by CBSA officials at the level of 

| supervisor or above. Jurisdiction for other grounds of i inadmissibility have been 
| delegated by the Minister of PSEP to officials of both the CBSA as well as the 

: Department of immigration, Refugees and Citizenship Canada. 


| Ministerial relief is one of the four non-delegable authorities listed under 
- subsection iis id the IRPA. 


- | Ministerial rel lief | Under IRPA section 42.1, the Minister of Public Safety and — 
: | Preparedness may grant relief to foreign nationals inadmissible to Canada on the 
| basis of security, certain provisions relating to human or international rights 
| violations, or organized criminality, if he is satisfied that it is not contrary to the 
| ne ional interest. This plore is company referred to as Ministerial relief AM R}. 
Nat ional Interest | National interest is a broad, discretionary test — by the Minister of Public 
- | Safety and Emergency Preparedness. 


| Permanent Resident - À person who has acquired permanent resident status and not "s lost 
| | that status under section 46 of the IRPA. A permanent resident has a qualified 
| right to enter, remain, work, and study in Canada. 
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| Personal Information Personal Information: Information about an identifiable individual as defined in 

section 3 of the Privacy Act, This definition, although lengthy, is not exhaustive, as 
: indicated by the introductory phrase, "including, without restricting the generality 
| of the foregoing”. Information that is not specifically mentioned in the list may still 
be included in the definition of personal information if it qualifies as "information 
about an identifiable individual". 


| Personal | I information | is a description of personal information that is organized and retrievable by a 
| Bank —— | person's name or by an identifying number, symbol or other particular assigned 
: | : only to that person. The personal information described in the personal 
_ information bank has been used, is being used, or is available — an administrativ 
| purpose and is under the control of a government i institutio 


| Privacy . The Office of the Privacy Commissioner of Canada describes "privacy" as ^.. the i 

| right to control access to one's person and information about one's self. The right to 
. privacy means that individuals get to decide nde and how much information to : 
| give up, to whom it is given, and for what uses.’ 


Secure Tracking System : The Secure Tracking System (STS) contains information on individuals involved.in 

- | and/or associated with any organization involved in war crimes, crimes against 

: humanity and/or terrorist activities, organized crime, money laundering, terrorist — 
- financing, people smuggling, or persons associated with criminal organizations, and : 
| whose admission or presence in Canada may be contrary to immigration or - 
: citizenship legislation. The primary role of STS is to screen Temporary and 

| Permanent Resident (TR/PR) visa applications. 


| À temporary resident isa forei ign national who has been authori zed to enter 
: Canada for temporary purposes under the | IRPA. 
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Report Objectives 


This report is a Privacy impact Assessment (PIA) for applications for Ministerial relief, processed by the 
Canada Border Services Agency (CBSA). The objectives of this PIA are: 


to review the business processes in order to identify the data flow of personal information 
to analyze the collection, use, disclosure and retention of personal information; 

to determine if there are privacy risks associated with applications for Ministerial relief; and 
to provide recommendations on the mitigation or elimination of the risks. 


s € 9 + 


The information presented in this report follows the Treasury Board of Canada Secretariat Privacy 
impact Assessment policy and guidelines. 


The purpose of a PIA process is to ensure that privacy is considered throughout the project development 
cycle. The results of a PIA are a documented guarantee that privacy issues have been identified and 
adequately addressed. 


Government Institution: Canada Border Services Agency, | Enforcement and intelli Bene Programs 


Government Official Responsi ible for the Privacy Dan Proulx 
impact Assessment 


Martin Bolduc, Vice-President, Programs Branch, CBSA ATI and Privacy Director 
CBSA 


The Ministeria | Relief initiative falls under sub-program 5.1 immigrati on Investigations in the CBSA's 2016- 
2017 Program Alignment Architecture. The Immigration Investigations Program investigates, ports. and 
arrests foreign nationals and permanent residents already in Canada who are, or may be, inadmissible to 
Canada as defined by the Immigration and Refugee Protection Act. Depending on the type of inadmissibility 
and the status of the person in question, inadmissibility reports are reviewed by either a Minister's Delegate 
or the IRB. When a person fails to appear for an immigration proceeding such as an examination, admissibility 


hear Ing o or a interview, a warrant for their arrest baee be issued. Warrants may also be biis Busta d 
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cee records related to investigations into Foreign Nationals s (EN) or Permanent Resident (PR) who may 
be inadmissible to Canada under the Immigration and Refugee Protection Act (IRPA). 


Records may be found in the following systems: the former Field Operations Support System (FOSS), the 
Computer-Assisted mmigration Processing System (CAIPS), the Global Case Management 5ystem (GCMS), the 
National Case Management System (NCMS), the Secure Tracking System (STS) and the Canadian Police 
Information Center (CPIC). 


Document Types: Admissibility/Inadmissibility reports, forms (Vienna Conventi ion Rights Form, Notice of _ 

Sei izure, Notice of Arrest, Departure Order, Deportation Order, Exclusion Order), Warrants, case files, 2 
policies/directives, procedures, operational bulletins, manuals, discussion papers, Memoranda of Understanding 
(MOU), performance framework material, training strategies and course material, briefing notes, issue sheets 
and question period cards. 


PX. Proposal for a New Personal information Bank 
|__| Proposal to ales fy an existing Personal Information Bank - identify PIB registration number and current 
description 


Canada Border Services Agency 


AMAA 


Description: This bank describes personal information that is used in support of the processing of 
applications for Ministerial relief (MR), including the preparation of MR recommendations, decisions 
rendered and associated supporting material. Personal information may include the applicant's name, 
gender, contact information, biographical information, biometric information, citi izenship status, credit 
information, nationality, marital status, names of any former spouses or common-law partners, nationality 
and immigration status of all family members of the applicant, whether accompanying or not, criminal 
 checks/history, history of detention, immigration and enforcement hi istory, date of birth, place of birth, 
education and training, financial information, physical attributes, employment and volunteer history, _ 
membership and association with organizations or foreign governments, police, military and parami ilitary 
history, engagement in acts of espionage, subversion, terrorism, human smuggling, use of armed struggl 
violence to reach political, religious or social obiectives, human trafficki ing and/or money laundering, 
involvement in an act of genocide or in the commission of a war crime or crime against humanity, medical 
information, photos, travel documentation, signature, travel hi istory, previous countries of residence, | 
applicant and/or representative contact information and i immigration identification numbers. The bank may 
also include applications for permanent residence and refugee status, assessments by immigration officers, 
removal documentation, temporary resident permits, previous findings of inadmissibility and supporting 
evidence, court and tribunal records, any considerations that the applicant feels would satisfy the Minister 
that granting Ministerial relief is not contrary to the national interest, and computer-based information 
(former Field Operations Support System (FOSS), Computer-Assisted | immigration Processing System (CAI PS) 
Case Processing System (CPS), the National Case Management System (NCMS), the Global Case Management. 
System (GCMS), the Secure Tracking System (STS), the Canadian Police information Center (CPIC) and e- mail). 


Meer 


Note: The personal information may be stored in the foll owing internal databases: the former Field 
Operations Support System (FOSS); the National Case Management System (NCMS); the Global Case 
Management System (GCMS); and the Secure Tracking System (STS). 


Class of individuals: General Public 


Purpose: To administer the Ministerial re lief component of the CBSA's Immigration Program, specifically in 
order to process applications for MR submitted under subsection 42.1(1) of the Immigration and Refugee 
Protection Act (IRPA). Information is collected under the authorities of subsections 15(1) and 16(1) of the 
IRPA, paragraph 28(a) of the immigration and Refugee Protection Regulations (IRPR) and pursuant to new 
regulatory amendments to the IRPR that will be created in order to authorize the collection of specific 
information for the purposes of MR applications. The new regulations will also incorporate certain elements 
of section 10 of the IRPR, as well as specifically authorize the Minister of Public Safety and Emergency 
Preparedness to create an application form for MR (see Attachment 2). 


Consistent Uses: Information may be disclosed to the Canadian Security Intelligence Service (CSIS) (referto: - 
Canada's War Crimes Program — CBSA PPU 028, Fugitive Information Bank — CBSA PPU 020, Enforcement 
Data System — CBSA PPU 032, Enforcement Information Index System (ElIS) — CBSA PPU 025), the 
Immigration and Refugee Board (IRB) (refer to: intelli igence Program ~ CBSA PPU 035, Canada's War Crimes _ 
Program — CBSA PPU 028, Hearings and Detentions Program ~ CBSA PPU 1107, Enforcement Data System - 
_ CBSA PPU 032) and immigration, Refugees and Citizenship Canada (IRCC) (refer to: Intelligence Program — 
CBSA PPU 035, Canada's War Crimes Program — CBSA PPU 028, Enforcement Data System — CBSA PPU 032, 
Immigration Investigations Program — CBSA PPU 1403) for the purpose of conducting security reviews, 
hearings or investigations related to immigration legislation. Information may be disclosed to the US NCIC 
and to INTERPOL to confirm the accuracy of information the CBSA has on file. Information may be disclosed | 
to CBSA inland enforcement (refer to Immigration Investigation Program ~ CBSA PPU 1403 and Enforcement | 
Data System — CBSA PPU 032) for review for possible further enforcement action either under inadmissibili lity 
provisions, or for criminal proceedings initiated under the IRPA. | 
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judicial review, appeals and 
. information may be shared with 


Courts of Law for judicial review and appeal purposes. Information may be shared with the IRB for the : 
before the Immigration Division (Immigration Division Case Files - IRB PPU 140) and : 


purpose of proceedings 
. Refugee Protection Division (Refugee Protection Division Records - IRB PPU 115). The information found it 
. the following banks may be compared with the information already obtained. Each bank has a specific — 
[ purpose for the disclosure. CBSA PPU 1202 is used for the purposes of improving border management by _ 
|. enabling the CBSA to monitor the flow of persons entering and departing from Canada; CBSAPPU 1301is — — 
. used to administer the Removal Program and to facilitate the enforcement of removal orders; CBSAPPU 1402 
. iscollected pursuant to the Immigration and Refugee Protection Act (IRPA), the Customs Act, the Customs : 
Tariff, the Excise Act, Export and import Permits Act and the Criminal Code of Canada for the purposes of law : 
enforcement; CBSA PPU1403 is collected pursuant to the immigration and Refugee Protection Act (IRPA) for | 
the purposes of the administration and enforcement of [RPA and related immigration legislation and : 
regulations; CBSA PPU 021 is used to provide follow-up on the activities of individuals being held in the 
immigration Holding Centre in the Quebec region; CBSA PPU 1107 is used to administer and provide services - 
for the Hearings and Detentions Program; CBSA PPU 060 is used to monitor the compliance of the individual - 
subject to a security certificate to the terms and conditions imposed by the Federal Cou rt CBSA PPUO35is - 
collected pursuant to the Customs Act, the Immigration and Refugee Protection Act [IRPA], the Customs 
Tariff, the Excise Act, the Excise Tax Act the Export & import Permits Act, the Controlled Drugs and S 
Act {CDSA) and the Proceeds of Crime (Money Laundering) & Terrorist Financing Act for the purposes so | | 
obtaining i information on persons who are suspected o of "Border related illegal activities, including contraband 
sm ugeling and immigration violations; CBSAPPU( 030 is i d din Me sn istrati ion and ene a : 
mund Pl bó (2: jis 


citizenship and i dec on one = 
acs resider pr 
relative to admissi ibi lity to Canada; pues EE nne gr 
CBSA PPU 008 is used for the purposes of administering the Advance e Passenger In information ai suena 
Name Record (API/PNR) Program, which involves performing a risk assessment including a scenario based 
risk analysis and query tor enforcement and intelligence information for individuals prior to theirarrivalin — 
Canada.), IRCC (CIC PPU 042 is used to determine the eligibility of applicants for permanent residency under - 
an economic dass, as authorized under IRPA, and to administer and enforce program requirements; CIC PPU 
009 is used to assess an individual's admi ssibi ility to Canada, and to determine his or her eligibility for referral. 
to the immigration and Refugee Board (IRB); CIC PPU 054 is used to administer, monitor and enforce 
program requirements, including the individual s compliance with nis or her conditions of temporary 
residence and the final disposition of nis or her case Tile; CIC PPU 050, is used to determine the citizenship 
status of Canadians and failed applicants for citizenship, and to facilitate the processing of applications for 
citizenship.), the IRB and CSIS for the purpose of administering or enforcing immigration legislation. 


Retention and Disposal Standards: Personal information collected will be retained for a period of 80 years or 
when the individual is 100 years of age and only after the file has been closed. Furthermore records will be 2 
. retained for two years following their last administrative use. Where files have been designated as histori cal : 
. they may be transferred to the custody and control of Library and Archives Canada; where the e record has not : 
. been so designated, it shall be destroyed. Sos 


RDA Number: 2015/008 
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Related Class of Record Number: C 
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Name of Program / Activity / Service | PLA 
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| ] Proposed new Standard Personal Information Bank 
| | Proposal to modify an existing Standard Personal information Bank - identify Standard PIB number and 
current description: 
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Legal Authority for Program or Activity: 


Canada Border Services Agency 


e 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information 


Name of Program / Activi iid G Service | PIA 
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IRPA ‘Subsection 15(1 "m An n officer i is authorized to proceed with an examination if a person makes an application - 
to the officer in accordance with this Act or if an application is made under subsection 11(1.01) | 


IRPA Subsection 16(1): A person who makes an application must answer truthfully all questions put to them for 
the purpose of the examination and must produce a visa and all relevant evidence and documents that the d 
ae) requires. : 


| IRPA Section 42.1: The Minister may, on application by a foreign national, declare that the matters refered toin 
: ection 34, 35(1 )(b) and (c) and subsection 37(1) do not constitute inadmissibility in respect of the foreign 
r atic onal if they sta the Minister that is not contrary to the national interest 


IRPA Section 43: TI 
define, forthe p f 
the circumstances in which g class suo permanent resident or un nation als i is exempted Poma any du the 
provisions in this Division. 


IRPA Subsection 34(1): A 


permanent resident or a foreign national is inadmissible on security grounds for 


a) engaging in an act of espionage that is against Canada or that is contrary to Canada’s interest 
b) engaging in or instigating the subversion by force of any government 


b.1jengaging in an act of subversion against a democratic government, institution or process as they are 


understood in Canada 
c) engaging in terrorism 
d) 


e) engaging in acts of violence that would or. 


being a danger to the security of Canada 


m ight enc danger the lives or safety of person in Ca nada 
f} being a member of an organization that there are reasonable grounds to believe engages, has _ 


engaged or will engage in acts referred to in paragraph (a), (bj, (b. 1 jor (c) 


IRPA Subsection 35(1): A permanent resident or a foreign national is inadmissible on grounds 


a) committing an act outside Canada that constitutes an offence referred to in sections 4 to 7 of the Crimes. 
Humanity and War Crimes Act. 


b) Being a prescribed senior official in the service of a government that, in the opinion of the Minister 
Engages or has engaged in terrorism, systematic or gross human rights violations, or genocide, 
a war crime or a crime against humanity with the meaning of subsections 6(3) to oe of tf 


Crimes Against Humanity and War Crimes act; or 


IRP tion 18 (1 ] E very person seeking to enter Canada must appear for an examination to determine 
whether that person hasa oe to enter Canada or is or r may become authorized to enter and remain in Canada. 


> BASSE 
aihe Ñ 
Y. F arian nem tary : zai 


suc in the Estimates and authorized 


» bay ye debe oe wee. HONEC i N ARE iu 
y lor the program or activity. (See questio 
D i gS ri $ 3 


ADP ALAA ATRL A P A A P AAA AB AN AR ANNA SA NAR A ANS AA SANSA SNAP PANNIS ININPISNNNIPPNNISNNISNSNINNISNSIISNINNNINNNIISNSPINN 600,0, AA RA A AR AA ARRA AAA AAA AR AAA ARA AAA BAN I NP SPUR S d d t EHE ON 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act. 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Name of Program / Activity / Service | PIA 
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Type of Program or Activity Level of Risk 


Program or activity that does NOT involve a decision about an identifiable individual NW 


Personal information is used strictly for statistical / research or evaluations including mailing list where no 
decisions are made that directly have an impact on an identifiable individual. 
The Directive on PIA applies to administrative use of personal information. The Policy on Privacy Protection 


requires that government institutions esta = sh an institutional | Protocol for coves ng non- 
administrative uses of Loin ipid . The CBSÀ Privacy Protocol must be mpl i CO 
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Administration of Programs " Activity and Services 


Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility 
for programs including authentication Tor accessing programs/services, administering program payments, 
overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etca). 


: Compliance / Regulatory investigations and enforcement NE 


Personal information is used for purposes of detecting fraud or investigating possible abuses within 
programs where the consequences are administrative in nature (i.e. a fine, discontinuation of benefits, audit 
of personal income tax file or deportation in cases where national security and/or criminal enforcement is 
not an issue}, 


| Criminal investigation and enforcement / National Security 


Personal information is used for investigations and enforcement in a criminal context (i.e. decisions may lead 
to criminal charges/sanctions or deportation for reasons of national security or criminal enforcement). 


Details: Ministerial relief is sought by a foreign national in order to obtain an exception to some of the most 
serious. inadmi issibility provisions in the IRPA, namely: security, certain provisions relating to violations of 

| human or i international r ights, and organized criminality. The applicant may be, but is not required to be, _ 

| physically present in Canada. Although not intended to establish or reassess inadmissibility under the IRPA, the | 

| Ministerial relief process involves analysis of information relating to very serious allegations that led to an 

| appli icant' si inadmissi bility, in addition to the assessment of other elements, in order to determine whether 
| there exist exceptional factors warranting relief from that inadmissibility. A declaration of relief by the Minister 


| removes an impediment to temporary or permanent resident status in Canada. 


Canada Border Services Agency 


CBSA - Released u idis us mation Act. 


ASFC - Divu FOPA vertu de labi ur l'Accès à l'information 


Name of Program / Activity / Service PIA 


| coming-into-force of the proposed regulatory amendments. Information relating to the grounds of 

| inadmissibility will continue to be taken into consideration by the MRU when processing an application for 
Ministerial relief. Among the requests for Ministerial relief received prior to the coming-into-force of the 
proposed regulatory amendments, some have had formal inadmissibility determinations, and others have not. 
Even where an inadmissibility determination on the basis of security, human or international rights violations, 
: or organized criminality has not been formally established, requests for Ministerial relief nevertheless involve 
| information related to these issues. pos 


Canada Border Services Agency 


CBSA - Released u inn eee mation Act. 
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| Type of Personal information Involved and Context Level of Risk 


| Only personal information, with no contextual sensitivities, collected directly from the RE 
| individual or provided with the consent of the individual for disclosure under : an authori zed 
| Abaca For example: General licensing, or renewal of travel documents or identity 


aocuments. 


ig 
i Xu esl 


| Personal information, with no contextual sensitivities after the time of collection, provided by | ]2 
| the individual with consent to also use personal ony on held is d source. For 
| example: An application process with a requirement for independent verification of certain 


| non-sensitive iactu details. 


Social Insurance Number, medical, financial or other sensitive personal information and/or the 

context surrounding the personal information is sensitive. Personal information of minors or 

- eel dae individuals or involving a representative acung on behalf of the ne vidual. For 
xampie: An individual's name on a parcial list may reveal sensitive information on the 


+ don, ga, wy Ee is E H H vx qo p v P isi $^ 
| health, financial situation, religious or lifestyle c 


no ces of "that TET dividual. 


Sensitive personal information, including detailed profiles, allegations or suspicions, bodily 

samples and/or the context surrounding the personal information is porn ene sensi itive. 

| Pers information that reveals intimate details on the health, financial situat 
ices of the individual and which, by association, reveals similar 


i f i 
: exampi pr Fes CR PATES à 


| Details: In accordance with the planned regulatory amendments, it will be mandatory for applicants to provide 
| basic tombstone information, including name, address, telephone number and email address, DOB, gender, 
immigration number, former countries of citizenship or nationali ity, marital status, the names of their former 
spouse(s) or common law partner(s), and details relating to their education, employment and international 
travel history. Failure to provide the above information will result in the application being returned 
unprocessed. 


Applicants are also asked to provide details relating to organizational affiliations, government positions held, 
service in military, paramilitary or police organizations (and training received), criminal history, and previous 

| countries of residence. If the applicant used the services of a representative, the representative’s personal 
information (including contact information) must be provided on form IMM 5746 (see attached). If the : 
| applicant used the services of an interpreter, the interpreter must attest to the accuracy of their interpretation. 


Applicants must provide the date, city, country, and circumstances under which they were previously found 
| inadmissible under any of the following sections of the IRPA: 34(1), 35(1) and 37(1). 


Program or Activity Partners and Private Sector Involvement 
Within the CBSA lamOngs: one or more programs within the CBSA) 


With other federal institutions 


With other or a combination of federal ud provincial and/or municipal government(s} 


Canada Border Services Agency 


Name of Program / Activity / Service PIA 


Private sector organizations or international organizations or foreign governments 


| Details: Finalising recommendations on Ministerial relief requests may require consultation with other 
Government of Canada partners such as IRCC, DOJ, Public Safety and CSIS. Comments on draft 
recommendations from CBSA partners, if any, are taken into consideration by the CBSA MRU prior to the 
| recommendations being disclosed to the applicant and before they are forwarded to the Minister of Public 
Safety for a decision to grant or deny relief. Applicants’ names, date of birth and other identifiers nay be 
disclosed in order to obtain reports from provincial criminal justice and correctional authorities where an 


ane icant has spent time in a provincial jail or detention facility. 
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Duration of the Program or Activity | Level of risk 


One time program or activity Iu 1 
Typically involves offering a one-time support measure in the form of a grant payment as a social support 
mechanism. 

Short-term program P 
A program or activity that supports a short-term goal with an established "sunset" date. 


long-term program 3 


Ex ist ing program that has been modi fied or is s establi shed with r no clear” Sunset. 


| Details: Ministerial rel lef | is d long-term program with no “sunset” date. 
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Program Population | _ | Level of Risk 


The program affects certain employees for i internal admin istrative purposes. & i 
The program affects all employees for internal admini strati ive purposes., [| 2 


The program affects certain individuals for external admi nistrati ive purposes. 


The program affects ail individuals for external admin istrative purposes. 


Details: Individuals who have appli ed for Ministerial relief. 


Priva Cy 


yy and | 


Technolog 


6.1 Does the new or modified program or activi vity i involve the implementation of a new electronic 
isa: software or application program including collaborative software (or groupware) that 
is implemented to support the program or activity in terms of the creation, collection or 
handling of personal i informati on? 


6.2. Does the new or modified program or activity require any modifications to IT legacy systems __ [|] YES 
and f Of services? 


Canada Border Services ie 


CBSA - Released u inn eee mation Act. 
ASFC - Divulgation en vertu de la ski ur l'Accès à l'information 


the following technologies: 


6.31 Enhanced identification methods: 


This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint 
analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, 
new identification cards including magnetic stripe cards, "smart cards" (ie. identification cards that 
are embedded with either an antenna or a contact pad that is connected to a microprocessor and a 
memory chip or only a memory chip with non-programmable logic). 


: ig ker? sag ann we dhe Se. Se 

i Details: if YES, describe the modificc 
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works ; 


6. 3 2 Use et Aus 


This includes surveillance technologies such as audio/video recording devices, thermal imaging, 
recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring 
including audit trails, satellite surveillance etc. 


Details s: IF YES, describe how and where the surveillance will be used, the type of 
(8 surveillance, and he number of surveil lance components used. - 


6.3.3 Use " seme me iniormati ion — personal infosmatio ion matchi ing js |] YES 
knowledge discovery techniques: SER 


For the purposes of the Directive on PIA, CBSA is to identify those activities that involve the use of 
automated technology to analyze, create, compare, culi, identify or extract personal information 
elements. Such activities would include personal information matching, record linkage, personal 
information mining, personal information comparison, knowledge discovery, information filtering 
or analysis, Such activities involve some form of artificial intelligence and/or machine learning to 
uncover knowledge {intelli gence), trends/patterns o or to predict behaviour. 


fect the electronic system, £ of vore 
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: Details: The Ministerial relief process does not requi ire any changes to CBSA 
- information technology systems. The process of preparing a recommendation for the. 
consideration of the Minister is already established, and functions according to | 
current systems. The MRU does not make use of automated person matching 
| Systems, but instead conducts manual searches of current databases that hold 
: immigration information (NCMS, GCMS, and STS) based on an applicant's 

bi ographical data. 
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A YES response to any of the above indicates potential privacy concerns c and risks that need to be measured and 


| Personal Information Transmi ssi on .. Level of Risk 


| The personal informati ion is used within a closed system. | 11 


No connections to Internet, intranet or any other system. Circulation of hardcopy documents is controlled. 


The personal information is used in system that has connections to at least one other system. 


The personal information is transferred to a portable device or is printed. x 3 


USB key, CD-Rom, laptop computer, any transfer of the personal information to a different medium. 


The personal information is transmitted using wireless technologies. å 


Canada Border Services Agency 
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ASFC - Divulgation en vertu de la loi sur l'Accès à l'information 


Name of Program / Activity / Service | PIA 
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| Details: Personal information i is ; used by MRU officers à accessing 3 NCMS, STS and GCMS, three ca ge | 
: systems residing on the closed, secure CBSA network (RCNET). Officers may also access connected oc! D systems 
through secure web ponas using virtual private networks, such as CPIC. | 


—————— Viii A Sr a 


: Risk Impact to the CBSA o a 


Managerial narm. 
Processes must be reviewed, tools must be changed, change in provider / partner. 


Organi izational harm. | 12 


Changes to the organizational structure, changes to the organizations decision-making structure, changes to 
the distribution of responsibilities and accountabilities, changes to the program activity architecture, 
departure of employees, reallocation of HR resources. 


Financial harm. 


Lawsui it, additional moneys required realiocation of financial resources. 


Reputation harm, embarrassment, loss of credibility. 


Decreased confidence by the public, elected officials under the spotlight, institution strategic outcome 
compromised, government priori ty compromi ised, impacto on nthe Gover nment of Canada Outcome areas. 


Details: f personal data were breached by the MR progre 
| its partners could also suffer significant reputational harm 


ss bise rmation were breached. 


ifs se nsitive 
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Risk Impact to the Individual or Employee t ~ Level of Risk 


inconvenience. 


Reputation harm, embarrassment. X12 


Financial harii 


Physi cal harm. 


Details: If a Ministerial relief package were to be made available to someone ‘other than the applicant, the 
applicant could suffer reputational harm or embarrassment given the seriousness of the grounds of 
inadmissibility contained in the allegations. it is also conceivable that the applicant could suffer financial harm 
| as a release of information could cause them to lose business or employment, as well as physical harm, since 
their previous actions or involvement in certain organizations, such as those operating in organized crime, 


could conceivably lead to acts of retribution "om other groups. 
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Canada Border Services Agency 


Name of Program / Activity / Service | PIA 


Category Of -Personal Information — — Personal Information : Purpose / Necessity 
Personal Information | Element | Sub-Element b | of Element 


| Name | Name : Given name(s), - Paper / | To identify applicant. 
: surname(s)/fami ly name(s) | Electronic - 


| Name Aliases | Any aliases, nicknames, maiden | Paper/ To identify applicant. 
: : . names, or changes of name. | Electronic - 


Place of birth Place of birth | City and country of birth | Paper / - To identify applicant. Requi ired by ss.24. 2(1) of 
- - Electronic the upcoming Regulations ~ 24.2(1)(a) 


| Physical attributes [ Gender | Male, Female, Other - Paper / | To identify applicant: Required by ss.24.2(1) of 
| Electronic the upcoming REBUlSHOnis- 24. 2) ) 


| Citizenshi 11D status : Citizenship/Nationality : All countries of - Paper / - ident fy appli Eau Requi red by SS. 24. 20) of 
| . Citizenship/nationality, date Electronic the upcoming Regulations — 24.2(1)(c) 

| Citizenship/nationality obtained, — | 

_ how citizenship/nationality was 

_ obtained, and present status. 


Other: Language Lon Seis Yand dialect(s) | Language(s) and dialect(s) spoken Paper/ | To helo pe irm i 1 identi ity and verify background 
| | | Electronic details provided by the applicant. 


Canada Border Services Agency 


Name of of Program / Acti yy / Servic 


| Other identificatio 
| numbers 


| Educational nims 


| Other: Inadmissibility 


Canada Border Services Agency 


| Single, common- dau; married, 


Electronic " 


legally separated, annulled 
| marriage, divorced, widowed, or 
| unknown 


: Spouse, partner 
| name(s) 


| Canadi an 
| immigration ID 
| number 


| Formal 
| education/traini 


ng 


| Name of institution(s); field(s) of 
| study; town, city, district, region, 
state/province, country; level, 


| Gi ven name, surname of past or 
| present spouse(s) or common- 
| law partner(s s). 


| degree, diploma or certificate 
_ obtained; and start and end 


. Inadmissi ibili ity 
- determination 


| Described by ss. 34(1) - 
membership, engagement in 
| act(s), and/or being a danger; 


| paras. 35(1)(b) and/or (c) - senior | 


_ official 
| 37(1) 
_ criminality (this 


s and/or sanctions;, or ss. 
~ organized/transnational 
includes all 


| corresponding provisions under 
| the former Immigration Act). 


| Temporary or permanent 


| resident status refusal by 


Paper / 


. This 
c applicant. Required by ss.24.2(1) 
» Regulati ons 24.2(1)(a) 


| Electronic 


assessment. Required by ss.24.2(1) of the 
- upcoming Regulations — 24.2(1)(d) 


: Electronic 


| To confirm and update background details of - 
: applicant and provide information to be 


information will help confirm i identity of | 
of the upcoming - 


considered in the context of MR national interest 


- To determi ne compliance with the regulatory 
amendments and identify basis for which relief is 
| being sought. Required by ss.24.2(1) of the 

| upcoming Regulations — 24.2(1)(g) 


: the decision 


inadmissi ibility t to 


| Other: Other 
- inadmissibility(ies) | 
| | sections of IRPA 


| Other: Immi igratio 
| history 


| Other: | Immigratio 
| history 


Other: Immi nigratio 
history 


: Other: inadmissi ibility and 
| national interest 


Canada Border Services Agency 


Canada under other 


| Personal plannit ing or 
| advocating the use 


| PIA 
- Rec M E EL c —————— 
issued by the IRB. 
- Date on which, ind city and Paper / To a assist with al ignin ng g the basis of inadmissibility 
| country where, inadmissibility Electronic determination with Ministerial relief submissions. 


. decision was rendered. 


Litigation status of 
. under or subject to id 


Reports or determinati ions of 
| inadmissibility under sections of 


Is the fi ndi ing of inadmi issibility : Paper / 


IRPA other than 34, 35, or 37 (this - 
includes all corresponding 


provisions under the former 
| immigration Act). 


Has applicant ever Leon relused Paper / 

| refugee status, immigration Electron 

| Status or a visa to Canada or any 

| other country? 

| Has applicant ever been refused Paper / 

| admission to, or ordered to 

| Electron 

| leave, Canada or any other 

| country? 

- qu qe s TIT ET — us 
arrested or detained for any 

Electronic 


reason? 


| Has the applicant ever planned or P 
| advocated the use of violence for - 


| Electronic : 


| Electronic - 


To determine compliance with the regulatory 
amendments. 


| To confirm and update background details of 
applicant and provide information to be 

| considered in the context of MR national interest 
| assessment. 


| To confi irm and update backerourid detail is of 


c applicant. 


: To confi irm and update background detail ils of 


c applicant; confirm requirements with proposed 


regulatory amendment (i.e. if removal order 
| issued) 


To confi irm and update background details of 


ir applicant, collect information on any prior or new 


criminal activity, and provide information to be 
| considered in the context of national interest 


| assessment for Ministerial relief. 


| To confi m and update background detail ils of 


| applicant, and provi ide information to be 


le Acc OR ee 


de la abi ur l'Accés à l'information. 


Name af Program n Activity / Service 
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| Voluntary 
| association with a 
group or designated 


| Other: inadmissi ibi lity and 
| national interest 


Awareness of 
| group's hostilities 


| Other: inadmissibility and 
. national interest 


| Participation in or 
| support of a group's 
. hostilities 


| Other: inadmissibility and 
| national interest 


Other: inadmissibili ity and 
| national interest 


| Other: inadmi issibility and 
. national interest 


| Any association with 
groups involved 


with terrorism or 


| subversion 


| Involvement in 

| activities of security 
| concern and/or 

| organized 
criminality 


Canada Border Services Agency 


political, social, or religious 


motives? 


| Was any association with a group, : 
| organization, military, : 


paramilitary or 


| designated regime voluntary? 


Was the applicant aware of the 
group's involvement in 
hostilities? 


_ Did the applicant participate in or | 
| provide support to a group's : 


armed 


hostilities? 


: Has the applicant ever r been 

| associated with a group that uses 
| or advocates the use of armed 

| struggle for religious, political, or 
| social objectives, and, if so, 

| whether the applicant was aware 
_ of the group's involvement in 

| Such activities? 


| Has the applicant ever engaged in | 

| espionage, subversion, terrorism, | 

| organized crime and/or 

transnational crime (e.g., human 

| smuggling, human trafficking, or 
. | money laundering)? 


. Was any involvement in activities 
| that r: raise security concerns 


a aaa aa aaa a 


| Paper / 
| Electronic 


| Electronic 


| Electronic 


considered in the context of national interest — 
| assessment for Ministeria 


| reli et. 


| To confirm and update background details of 
| applicant, and provide information to be 

| considered in the context of national interest 
| assessment for Ministeria 


| To confirm and update background details of 
| applicant, and provide information to be 

| considered in the context of national interest 
assessment for Ministeria 


To confirm and update background details of 
c applicant, and provide information to be 

considered in the context of national interest 

| assessment for Ministeri 


. To confirm and update background details of 
applicant, identify any prior, new or continued 

| association with groups posing security concerns, 
| and provide information to be considered in the 
context of national interest assessment for 
Ministeria 


i relief. 


i relief. 


al relief. 


| relief, 


- To confirm and update backerouna details of 
| applicant, and provide information to be 

considered in the context of national interest 
assessment for Min 


isterial relief. 


To confirm and update background details of 
| applicant, and provide information to be 


dela 


ur l'Acct 


EA gl sc DP 45. Ps enon dd 


ASFC - Divulgation à l'information 


Name of Program / Activity / Service 


| Other: inadmissibility and 
| national interest 


Other: inadmissibil ility and 
national interest 


| Other: inadmissibility and 
| national interest 


| Other: inadmissibility and 
| national interest 


| Complicity in war 
| crimes or crimes 
| against humanity 


| International 
| Sanctions 


| Employment history 


pum of 
| association with 
| organizations 


| and/or in 
| organized criminality or 
transnational crime voluntary? 


| Has the applicant ever advocated 
: or been involved in an act of 
genocide or in the commission of 
| a war crime or crime against 
humanity? 


. Was the applicant ever subject to - 
international sanctions imposed 
_ by an international group of 
| which Canada is a member? 


| Applicant to list all employers and - 
| volunteer work since the age of 
: ic (including all periods of 

| unemployment, if applicable), 

| including: name of 

|. employer/company/organization; 
| town, city, district, region, 

: state/province; country and 

| country of employment; 

| occupation/job title or 

| description of work and 

| beginning and end dates. 


. Electronic 


| To confirm and update background details of 
applicant, identify any prior, new or continued 
association with groups posing security concerns, 
and provide information to be considered in the 
context of national interest assessment for 


Applicant to list all organizations Paper / 
in which they have participated, Electronic 
| or of which they were (or still are) - 
|, a member, with which they were _ 
| (or still are) associated, and/or 


| which they supported, including 


Canada Border Services Agency 


considered in the context of national interest 
| assessment for Min 


. To confirm and update background detail ils ls of 

c - applicant, ensure applicant's eligibility for 
Ministerial relief, and provide information to be 
considered in the context of national interest 
| assessment. 


| To confirm and update background detai ls of 
applicant, and provide information to be 

| considered in the context of national interest 
assessment for Mini sterial relief. 


| To confirm and update background details of 
applicant, identify any prior, new or continued 

| association with groups posing security concerns, 
| and provide information to be considered in the 
context of national interest assessment for 

| Min 
upcoming Regulations — 24.2(1)(e) 


n 
ASFC- Divi gén 


Verte lai n ‘infor mation 


isterial relief. 


isterial relief. Required by ss.24.2(1) of the 


inisterial relief. 


CBSA - Released under thigAccess to Information Act. 
ASFC - Divulgation en vert@@He la loi sur l'Accés à l'information 


Name of Program / Activity / Service bua | PIA 


district, region, state/province, 

| and country), types of 

| organizations that they 

| supported, and applicant's titles, 
| roles, positions and 
responsibilities. 


| Other: inadmissibility and . Government 2 Applicant to list any positions | Paper / - To confirm and update details of the applicant, 
: national interest | positions held - with a government including the | Electronic | identify any prior, new or continued association 
| dates of employment, level of. — | with designated government regimes, and 

| jurisdiction, department/branch; : : provide information to be considered in the 

| activities and positions held, city _ | context of national interest assessment for 

- and country of employment, if - : Ministerial relief. 

| the position involved intelligence _ : 


| Other: inadmissibility and | Military Applicant to list any type of  Paper/ To confirm and update background details of 
| national interest | Paramilitary, or military, paramilitary or police ic applicant, and provide information to be 
| police service performed, including: considered in the context of national interest 
| whether service was voluntary or — | assessment for Ministerial relief. 

| mandatory; whether there wasa — | 

-draft age (age required to join); 

| the length of any mandatory 

- service; the applicant's length of 

service; whether the period of 

service was completed (and to 

provide the beginning andend — 

dates); under what circumstances - 

| the service ended; the applicant's | 

titles, ranks, roles and : 


Act 
l'information. 
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Name of Program / Activity / Service | PLA 
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| corresponding dates of 
| promotion); the branches and 

_ units in which the applicant 

| served; the titles, ranks and | 
| names of individuals to whom the - 
applicant reported; the country — 
and all locations of service; 

| awards, medals and 

: commendations the applicant 

| received (including dates); 
-disciplinary measures against the 

| applicant (including dates); 

| whether the applicant received 

| any military, paramilitary or 

| police training; whether the 

: applicant participated in any 

| conflicts, violence, or exchanges 

_ of weapon fire; and whether the 

| applicant ever witnessed or 

| participated in ill treatment of 

| prisoners or civilians, hostage- 

| taking, looting, or desecration of 
cultural 

: or religious artifacts or buildings. 


| Criminal checks/history | Criminal history Has the applicant ever | Paper / | To confirm and update background details of 
| - : committed/been party or been electronic applicant, and provide information to be 
arrested for, charged with, on | considered in the context of national interest 


trial Tor, erconvicted of d crime | assessment for Ministerial relief. 
. or offence, or subject to any : 


| arrest warrants or criminal 
. proceedings, in any country, 
including Canada? — 1 1 1 0. 


Canada Border Services Agency 


Name of Pre 


| any changes to their criminal 

| activity, charges or record; list all 
| offences, crimes and charges; 

| crime/offence type and code; 

. date of crimes or offences; date 

. charges laid; city and country of 
offence/charges; date and details - 
_ of disposition; any sentence 
imposed; date any sentence 
served; the institution and 

| location where sentence was 

| served; whether any sentence 

| was completed and, if not, 

: provide reasons; if the applicant 
has ever received a pardon, had 
| their record expunged or been 


| residence / international history, including 
| travel | countries of 
| previous residence 


Canada Border Services Agency 


| Applicant to list all 

| cities/countries in which they 

| have resided, or to which they 

| have travelled/visited 

| internationally, from the age of 
|. 16 to present. Applicant will need 

| to include the dates of 

| travel/residence, status in the 
: country of visit/residence, and 


| deemed to be rehabilitated and, 
| if so, provide details, including 
| dates and pardoning/granting 


Electronic - 
. whereabouts during their activities or 
involvement with groups/governments that led 

| to the finding of inadmissibility, and provide 

_ information to be considered in the context of 

| national interest assessment for Ministerial relief. 
| International travel is required by ss.24.2(1) of 

| the upcoming Regulations — 24.2(1)(f). 


CBSA - Released under: 


ASFC - Divulgation en vd 


applicant, assist in determining the applicant's 


Access to Information Act. 
de la loi sur l'Accès a l'information. 
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: Nati onal i Interest 

| evaluation including 
| any documentation 

| applicant wishes to 

| submit to support 

: their application. 


| Other: National Interest 
| documentatio 


| Contact information | Applicant's address 


| Representative/ 
| counsel s contact 
information 


| Other: Representative 


Canada Border Services Agency 


T Appi cant will also need to 


indicate whether their travel was 


| related to or conducted on behalf - 
ofany : 
| organizations/governments, 

| including those associated with 

| their inadmissibility. 


| Applicant may provide an account - _ Paper / 
| of how a declaration of relief 
from their inadmissibility to 

| Canada would not be contrary to 
| the national interest. 


| Various — there are no 
| restrictions on the types of 


information or documentation 


| the applicant may provide to 
| substantiate their justification for - 
. relief. : 


| street name, street number; 
 apartment/unit, city/town, 

| district, province/state, postal/zip - 
| code, country, P.O. box, email — — 
| address, and primary and 

| secondary telephone number 

| (residence, cellular and/or 

| busi ness). 


Counsel's name, street name, Paper / 
| Street number, city, province, Electron 
| postal code, email, telephone 


| Flectronic 


. Electronic 


Do Uu M Acc Ps enn bes n Act. 
Ee ———— EPI. us os i NN 


Applicant may provide submissions wi vith the ain 

| of satisfying the Minister that they should be 

| exempt from inadmissibility on the basis that it 
. would not be contrary to the national interest. 
: The applicant may voluntarily submit any other 
| supporting information or documentation they 


wish. The absence of a precise definition of 


| national interest allows the Minister broad 
_ discretion in weighing factors that fall under the 
_ rubrics of public safety and national security. 


- To maintain contact with applicant. Telephone 
| number ande email address requi ired ied SS. “oi à 


Other: Applicant 
| declaration 


| Appii icant 
declaration 


Ie UP 
| declaration 


Intention to appoin 
. / cancel 
appointment of a 
representative 


| Applicant Personal 
Information 


| Representative 
| Personal 
informatio 


Signature 


| applicant. 


Si nature Paper / 
Electronic 
Check box 


: Type of applicati on (permanent 
2 resident, extension, citizenship, 


| CIC ID pacer or limine Clie ent ID. 
| number (if known) | 


Canada Border Services Agency 


| To ensure appli icant understood the contents of 
;p the form. Applicant will need to declare whether 

they used the services of an interpreter in 

| completing the document, and to provide the 

| name and language as appropriate. 


Translator attests that documents were 
| accurately translated and understood by 


To indicate «ano icant's s intentic on to use a 
| representative 


| To identi fy representative 


umm Access to Information Aci 
ASFC - [Du wu alin e la loi sur l'Accès à l'information 


P Acc fe Infon bie n Act. 
de la " ur l'Accès à l'information. 


Name of ER / PSM i Service PIA 
Given name o identi fy RBortsentdtive 
| Compensated / uncompensated? : | To establish whether representati ve receives 
: < compensation for service 
Family member o or rfri end? o identify representati 
‘Other: Reptesenia ve Representative | Name of B or organizatio | To ont representativ ive's l'üiprüfessiaf 
- Contact | Informati ion : : | 
Name at supervising lawyer (if | To confir irm Atenes noy ve's — 
; student at law) 
-Supervising UVE menberi ip | To confirm representati VES profession 
| ID | 
Mailing address To € representati ive's profession 
Phone/fax To Sour rm hante ve's areles ion 
Email To confirm representative! s profession 
Other: Representative | Representative Member df NGO c or religious | | To confi irm representati ve's professio 
, Membershi ip - organization? | 
| Member of imm igration : To confirm representati ve's profession 
_ Consultants of Canada Regulatory : 
| Council (ICCRC), a Canadian law 
| society, Chambres des notaires 
. du Quebec (CNO) 
MEME CC 


Canada Border Services Agency 


Name of S, m / Activi idi pe Servic 


Will they be compensated by 


ICCRC? 


Canada Border Services Agency 


| Representative 
| declaration 


- Cancellation of 
| representative 
appointment 


Applicant 
. declaration 


Name, firm or organization of 
| representative 


CBSA - Released under the Access to Information Act. 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Name of Program / Activity / Service | PIA 
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SECTION 4 - FLOW OF PERSONAL INFOR 


4.1.1 Process Map 
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Current Ministerial Relief Application Process 


E 

AS 
f Us E 
À = £ 
i T. M ui MM I II|Illl"l1|llele IlyVyvyvyyvy lll L 1 14 XL LL LL LL LL LAOLLLLLLL LLL LLLLLLLLLLLLLLLLLLLLLI —  —  — — EM 9 
1 [ox 1 & 1 
i ex i | 
i | | 
$ SE ia 
LEE ER — 


 apelicamt s fie from sult «eth DU as aeressary | 

EN MEUM i IBCCICHSA, DEN ENT EUR iani contre with third parties | 

Applica exelved |: üferewtion | Mi reviews BCS à | (ROMP, ESIS, INTERPEH) that | 

PRESETS Dove ye ex i H i : 
| 
1 
1 


Y | 
ZN i 


wo Otte the s, oes hA 
"d v iu TEE SS ea 
2C apptnant NO 9 ^. 


hs. Ne 
pv de pute DAR I P PAP SARI e 


EA AR RA AAA AAA. 


[Minister's deciden 


y 
obtsined from | | CBSA file to identity | seed N 
recorded. | 


aed glacedito bee $ T Je ee i : 
EORUM Mui ie Lager files an seed as i Do any third party i in the eu 
ee ee | Computer Systems | DO information. i ansessment, 


us ^^ subreissions ? 7 
dicctased ta e Fe 


Do meuding BAS, | i 
i NEMS, GEMS, STS, | | informatiun i not used. 
thCNOC x DIOE ee ne ee nn 


y 
Yes | 
| | 
E T 1 


UD new CN 


en + . i | REME, CSE, INTERPOL) thay | 
JY submissians N, Res be. poem : x 
E i *. E Uber infavmation eam bs wed 
ieee RAR RAR AS SARA RAR AR ARE Wat ratit ZU RD d 


2 ND in thee context of MR 
+. pedfectasture? i PARES 
a n i Besessment and disclosed to 
is "o i applicant: otherwise, 
SA Do dnferesatican is not used 


i Consult with DOJ as necessary | 
i and confirm with third parties | 


Ministerial Relief Unit 
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i. Applicants use form BSF 766E, available in PDF format fram the CBSA website. They may complete and submit the form and any supporting documentation, in paper, electronic or both formats. 
2. or in-Canada applicants and overseas applicants with representation in Canada, the draft recommendation package is courlered by registered mail. For overseas applicants with na representation in Canada, the package is sent via diplomatic 
bag and disclosed through a Canadian mission abroad. 


Canada Border Services Agency 
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Name of Program / Activity / Service | PIA 


4.1.2 Data Flow Diagram 


COLLECTION DISCLOSURE 


ett 
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aes ge Applicant information is assessed, if NA 


along with information related to the 
applicant im CBSA and FRONT files. 
here information was obtained frorn 
QOGDS, governments or international 
bodies, those parties will be cormubtecd 
to confirm their consent to the 
information being asec n support of 
the MR application. 


| 
Addition ad 
supporting docs. | 
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PIB 
CRSA PPU 1504 


STORAGE 


After the case is closed, the case file 
: willbe retained for RO years or until 
the applicant reaches gge i00 


Final DRA 
Recommendation 


Public Safety 


SPISI rI 


RDA ZO LS JOOS "Disclosure to INTERPOL ahnost 
Ducerncucuts. 


SYR is consulted if the appliicent 
spert tire in the 3.5. 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act 
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| personal information to the Ministerial Relief Unit | 
| (electronically, in paper format, or a combination 

|! of both), Policy Division, Enforcement and 

| Intelligence Programs Directorate. There are no 

| restrictions on the type of information the 

- applicant may provide to support their 


| A federal government institution (identify | Upon receipt of an application for Ministerial 

| from what PIB the information is obtained) relief, the CBSA will obtain the applicant's 

| | immigration case file with either IRCC, the CBSA, 

_ or both. IRCC PIB CIC PPU 042 will need to be 

| updated to reflect disclosure by the Ministerial — ^ 
| Relief program. Similarly, CBSA PPU 035, PPU 028, 
| PPU 032 and PPU 1403 will also need to be 

| updated. | 
| if the MRU wishes to incorporate information that | 
| was collected from other federal institutions fora - 
| former proceeding under the IRPA (for example, 

| information from the RCMP, CSC, or CSIS), the | 
| institution will be contacted to determine whether | 
| or not the source of the information consents to it : 
| being used in support of the Ministerial relief 
application, and to its disclosure to the applicant. : 


Non federal institutions 


| correctional authorities may be sought and used if 
| an applicant has spent time in a provincial jail or 


! Apart from requesting updates where relevant information may no longer be accurate, the Ministerial 

relief Unit does not seek out additional information relating to an applicant that is not already part of the 

applicant's case files related to the immigration continuum, or provided by the applicant in the context of 
_the application. 


Canada Border Services Agency 


CBSA - Released u ibid oe mation Act. 
ASFC - Divu A vertu de la i ur l'Accès à l'information 


dose Dy the Ministeria | | Reli ef Unie and es 
_ the source of the information permits disclosure 
to the applicant. For example, the CBSA may seek 
_ information from the U.S. NCIC if the applicant 
_lived in the U. s. 


- Internati onal Organization | Reports from | INTERPOL and similar organisati ons 
| may be used in the context of Ministerial relief 

| applications, where that information is on a file or 
| included in records obtained by the Ministerial 
Relief Unit, and where the organization permits 

| disclosure to the applicant." 


Hated BFOQPFOIms OF GUCTIVITIBS gnd 


immigration Investigations Program | Organiz zed Crime Data Bank (OCSS) 
| | CBSA-PPU-030 

| Information contained in this bank may be 

| used in the administration and enforcement 
_ of citizenship and immigration legislation 
| The authority to collect personal information 
_ is authorized by sections 5(1) of the Canada 

| Border Services Act: sections 11(1), 12.1(1), 
| 13(a)(b), 98(1), 99(1) and 101 of the Customs 
| Act; Sections 15(1) and 18(1) of the 
| Immigration and Refugee Protection Act as 
well as sections 12(1) and 18(1) of the 
: Proceeds of Crime (Money Laundering) and 
_ Terrorist Financing Act. 


The indi ividual o Ora representativ A disclosure package consisting of a draft MR 
: , recommendation and supporti ng records 


in practice, the 2 MRU almost never seeks applicant ant information from m international onal sources, 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act 
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_ Collected under section 15 of the CS/S Act to 

| provide security assessments pursuant to 

| section 13 or advice pursuant to section 14 of 
| the Act. Pursuant to sections 19(2), 13 and 14 
| of the CSIS Act, CSIS may disclose information 
or may match information in the preparation 
- of a domestic or foreign security assessment 

| or in providing advice pertinent to the 

| Citizenship Act or Immigration and Refugee 

| Protection Act 


| RCMP PIB PPU 005, contains information 

. Compiled in the administration or 

| enforcement of the law and in the detection, 
| prevention, or suppression of crime generally 
andis collected in accordance with section 18 
| of the RCMP Act and section 17 of the RCMP 
| Regulations. 

| IRCC PIB PPU 042 contains information that is 
| used to determine the eligibility of applicants 
| for permanent residency under an economic 
class, as authorized under IRPA, and to 

| administer and enforce program 

| requirements. Select information may be 

| shared with the CBSA for the administration 

| and enforcement of immigration legislation 
or for law enforcement purposes. 


. DOJ contains information in order to enable 

| the Department of Justice Canada to carry 

| out its duties as legal advisor to the federal 

| government pursuant to sections 4 and 5 of 

| the Department of Justice Act. This bank 
contains information relating to civil legal 

| proceedings and legal services provided to all 
| federal departments and most government 

| agencies and institutions. 

| Public Safety (Ottawa) PIB PPU 026 is used to 
support the Minister, the Deputy Minister, 
and their officials in the exercise of their 

| statutory duties, powers and functions; in 

| carrying out such other national security and 
| related law enforcement responsibilities as 


CBSA - Released under the Access to Information Act 
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Name of Program / Activity is Service PIA 


| their obligations to manage, and be 

: accountable to Parllament for, the national 
: security policies and programs of the 

| Portfolio. Information relating to threats to 
| the safety of persons or property or to the 
| security of Canada may be disclosed to 

| officials of the Government of Canada, to 

|! officials of other levels of government in 
Canada, and to such other persons (including 
| law enforcement agencies) as the Minister 
| may determine are either subject to such a 
| threat, or are in a position to assist the 

| Government of Canada in the detection, 

| prevention or — of any such 
threateni ing activ itie 


- Provincial Government . Applicants’ names, date of birth and other 
identifiers may be disclosed in order to obtain 
| reports from provincial criminal justice and 
- correctional authorities where an applicant has 
| Spent time in a provincial jail or detention facility. 


- Munic ipal Government N/A 
- Abori iginal Government n Counci 7 : N/A 
- Organization of a Foreign State Applic: cants name, — of bi rth and other 


| identifiers may be disclosed to the FBI’s National 

| Crime Information Center (if individual spent time 
_in the U.S.) to obtain information on crimes 
| committed by the applicant in the U.S. (Bridgeport, - 
| West Virginia, U.S.) 


- Tame ional Organiz: izatio Through the CBSA National Secuti ity Screening 
Division, the applicant's name, date of birth and 
gender may be disclosed to INTERPOL to obtain 
| information on international wanted person alerts 
| ("red notices"). (Lyon, France). 


- “Located i in Canada and Forei ign Owned N/A 
- | Located abroad and Canadi; an Owned | N/A 
- Located abroad and Forei ign Owned N/A 


Canada Border Services Agency 
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A federal government i institutio : CBSA, Min isterial Reli ef Uni t, Ottawa; secure 
-cabinet (DASCO), and Top Secret safe. 

Records of the outcome of the decision are 
entered into NCMS, and may be entered 
into GCMS. Applicant submissions and a 
consolidated copy of existing immigration 
information relating to the applicant are 
stored as hard copies and electronically on 
the CBSA internal network. 


identity me areas, groups ane neh E who access and nance the personal information: 
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Canada Border Services Agency 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Identify Grounds Or Áreas "m or T Positions who have access or use the 
Divisions personal information (where appropriate) 


MRU, Policy Division, Enforcement | Staff of up to 12 individuals includin ne 
and intelligence Program manager. 
Di rectorate (EIPD) : 


Director’s Office, Poli icy Division Director 
| (EIPD) | Support Staff 


| Di rector General’ a Offi ice (E IPD) | Exo Ve Di foctar c PENNE. DUMP 
| | Director General 
| Support Staff 


Vice President's Office MEL remet 
| Support Staff - 


President's Office | President 
| | Support Staff - 


- Minister's Office | Minister 
- | Support Staff — 


_ Legal Services | Department of Justice lawyer 
a to review decision 


iaaa AAA TITTET 
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Has a legal authority been identified for the collection of personal information for this program or activity? 


Statutory reference: Section 4 of Privacy Act (Section 4 has been interpreted to mean that a legal authority 
must be established for a collection of personal information, but section 4 does not provide legal authority for 
such a MR 


Yes 


1.1 DX] Specify the legal authority and briefly explain its connection to the program or activity or how it 
: Pads the collection of the duod ena. 


F The Canada Border Services Agency (CE 


SA) will collect the personal information o on nthe form 

. under the authorities of subsections 15(1) and 16(1) of the Immigration and Refugee Protection 

| Act (IRPA), and paragraph 28(a) of the Immigration and Refugee Protection Regulations (IRPR) 

| and pursuant to new regulatory amendments to the IRPR that will be created in order to 

| authorize the collection of specific information for the purposes of Ministerial relief applications. 
| This new regulations will also incorporate certain elements of section 10 of the IRPR, as well as 

| specifically authorize the Minister of Public Safety and Emergency Preparedness to create an 

| application form for Ministerial relief (see Attachment 2). 


The personal information is being collected i in order to process ; applications for MR, which are 
decided upon by the Minister of Public Safety and Emergency Preparedness (the Minister) 
pursuant to section 42.1(1) of the IRPA. 


fi ne ofi nadales sibility sn wen ing hal itted c an n application to the ( CBS, 
| The information provided by the applicant, and derived from the applicant's a tits 
immigration case file are important as they provide the CBSA with the necessary information 
from which to draft a recommendation, and for the Minister’ E subsequent decisi ion. 


— Continue to esta Z 


» 


**The PIA process us not uic without this key HR E oi 
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Name of Program / Activity / Service PIA 


Is each element and sub-element of personal information collected or to be collected necessary to 
administer the program or activity? 


Statutory reference: Section 4 of Privacy Act 


Policy reference: Sections 6.1.1, 6.1.3, 6.1.4, 6.2.7 and 6.2.8 of Directive on Privacy Practices 
YES 


**Personal Information Bank (PIB) should be found within "Section i ~ Overview and Initiation" above** 


| 2.2 Dx] AND, implement controls and procedures to ensure the CBSA does not collect more personal 
: information than is necessary for the identified program or activity and that a continuing need exists 
for that information or its collection. 


"*Ensure to provide the "controls and procedures" as an annex to this PIA** 

| 2.3 Are secondary uses contemplated for the information collected? 
“Treasury Board defines a “Secondary Use” as a purpose that is not consistent with the original purpose of | 
| the collection.** - 
[yese | NO (Continue to Question 3) 


| **If you've selected “Yes” to Question 2.3 above, please note that Consent is required for all “Secondary 
| Uses". Please ensure that a “Consent Statement" is created. P 
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rictel^ below for the information required in a "Consent Statement". ** 
use or disclosure of the personal information? 

| **Please ensure that the Legal Authority ide 
_ information.** 


ntified above allows for all uses and disclosures of the personal | 


YES | | NO 
-> Continue to Question 3 
NO 


: 2.3 E Review the proposed elements and sub-elements of personal information outlined in "Section 3 — 
| Analysis of Personal Information Elements" to identify those that are "necessary" and not merely 
useful. Document any changes. 


| is the collection of the Social Insurance Number (SIN) necessary to administer the program or activity? 


Statutory reference: Section 4 of Privacy Act 


Policy reference: Section 6.2.13 of Policy on Privacy Protection and sections 6.1.1 and 6.2 to 6.4 of Directive on 
Social Insurance Number 


Canada Border Services Agency 


CBSA - Released u ibid oe mation Act. 
ASFC - Divu A vertu de labi ur l'Accès à l'information 


Name of be hal A Activity / Service | PIA 
T aie "— — — -— — T" 


B 1 | ] Collection of the SIN must be in compliance with the Directive on Social Insurance Number (please 
| check all appropriate boxes below): 


B 2 LI State legal authority for collecting the SIN 


OR, inthe Le of a legal authori ity to collect the SIN 
B 3 [ ] Establish explicit authority through legislative a . 
34 | | Establish | legal authority as outlined in the Directive on Social insurance Number. 
AND, if disclosure of the SIN by the CBSA is to occur ona routine Or systematic basis 


3.4.1 | ] to another federal institution that is authorized to collect it, or to another level of government, 


establish an agreement or arrangement that includes specific provisions to limit the use of the 
SIN. 


provisions to limit hs use eof the SIN 


3, 5 [| AND, ensure that the relevant PIB for the program or activity states the authori ity under which the 
| SIN is collected and the purpose for which it is used. 


— Continue to Question 4 
NO 


| B 6 [X] The SIN is not necessary and it will not be collected, used or disclosed to administer the program or 
: activity. 


— Continue to Question 4 


| Is personal information collected directly from the individual to whom it relates? 


Statutory reference: Sections 4 and 5 of Privacy Act 


Policy reference: Sections 6.1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and section 6.1.2 
and 6.4.1 of Directive on Social insurance Number 


TER 


| 4.1 


a atthe time collectis ion and it must include the ADM icc 
a) The purpose and authority for the collection 
b) Any uses or disclosures that are consistent with the original purpose. 
c) Any uses or disclosures that are not related to the original purpose 
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use, in which case a "Consent Statement” m: y need to be added to the “Priva acy y Noti CO c see 
| 
below for "Consent statement" elements.) 


dj Any legal or admin istrative Consequences for refusi ing to provi ide the personal informatio 
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e) That the "individual to whom the information relates" has rights of access to, correction of and 
protection of personal information under the Privacy Act. 


f) À reference to the PIE for the program or activity 
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**Earacopy of the CBSA Privacy Notice a onsent Statement template, contact the ATI and 


Privacy Division. "" 


an : 
ity For the 


AND, add a "Consent Statement" to the "Privacy Notice" as appropriate, if the personal information is to 
be used or disclosed for a purpose other than the original purpose (Secondary Use) or a consistent use, 
or, to authorize indirect collection of iugi information 


a) The purpose of the consent and the specific personal information involved. 
b) in the case of indirect collections, the sources that will be pens to aaa ide the RIGHNSOD 
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x Uses aiid disclosures that are not consistent with the original purpose of the collection and for 
which consent is bei ing AM 


E 


orasecondary use or 


d! Any consequences that may result from withholding consent. 
e) 


Any alternatives to providing consent 


opy of the CB3A Privacy Notice and Consent Statement template, contact the ATI and 


| AND, implement controls and procedures to ensure that the CBSA keeps a record documenting 
whether or not an individual provided consent when it was sought, including a record documenting 
any withdrawal of consent when applicable 


**Ensure to provide the “controls and procedures" as an annex to this PIA** 


jen ional Consent Considerations (s. 77(1)(m) of the Privacy Act): 


5 Standards and mechanisms are in place to ensure that the individual has capacity to giv 
consent, 


**Ensure to provide the "standards and mechanisms" as an annex to this PIA** 


— Continue to Question 5 
NO 


44 | | The An | information necessary for the program or activity is not collected directly from the 


individual. It is collected. indirectl ly, for example, from another program wi ithin the CBSA, or from 


Canada Border Services Agency 


Name of Program / Activ uii / Service | PIA 


ES another institution, government or third party. 
— Continue to Question 5 


is personal information collected indirectly from another source with the informed consent of the individual 
| to whom it relates, or from a person authorized to act on behalf of the individual pursuant to section 10 of 
the Privacy Regulations? 


Statutory reference: Sections 4 and 5 of Privacy Act and section 10 of Privacy Regulations 
Policy reference: Sections 6.1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and sections 6.1.2 
and 6.4.1 of the Directive on Social insurance Number 
YES 
S The notice and consent requirements stated at Question 4 apply. Please provide the "Privacy Notice 
and/or "Consent Statement" below: 
**Foracopy of "m he CBSA Privacy Notice and Consent Statement template, contact the ATI and 
Privacy Division" 
| AND, implement controls and procedures to ensure the CBSA keeps a record documenting whether 
or not an individual provided consent when it was sought, including a record documenting any 
| withdrawal of consent when applicabile. 
**Ensure to provide the "controls and procedures" as an annex to this PIA ** 
5.3 [X] AND, if information is being collected from persons authorized to act on behaif of minors, 
open or individuals who have been deceased for less than 20 vears, implement appropriate 
mechanisms to ensure that such persons are authorized to act on behalf of individuals who do not 
- have the capacity to provide consent. 
- **Ensure to provide the “mechanisms” as an annex to this PIA** 


— Continue to Question 6 
- NO 
5.4 | | -» Continue to Question 6 


is Ron) information collected from another source without notice to or consent from the individual to 
whom the information relates? 
Statutory reference: Sections 4, 5, 7 and 8 of Privacy Act and section 10 of Privacy Regulations 


Policy reference: Sections 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices, section 6.2.15 of the Policy 
on Privacy Protection and sections 6.3.2 and 6.3.3 of Directive on Privacy Impact Assessment 


Canada Border Services Agency 


CBSA - Released u ibid oe mation Act. 
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or wenn ne ihe en iiu to s it relates, please check ie appli licable s and yes in as 
requested: 


| ] a) The collection is a result of a disclosure to the CBSA under subsection 8(2) of the Privacy Act. 
State the applicable paragraph(s) of subsection 8(2} and provi ide a brief explanati ion for each: 


E M Li gy" * EY SOR PS PPS E VU E ANS M 33 
Details: | (This information is s mandatory] 


[ | b) Direct notification of the indivi dual m might result in the co ollection of inaccurate information, or 
might defeat the purpose or oras ub use ee which the Dora is collected. Briefly 
od ain why noti ice is not PUN (For tain kinds « i 


ye BOO NS oS a y eov x 
PE SAS: ere See SEER 
E: i ER H ne S WR XV X Rae ek DR FEF, 


C WT 


ui investigation $ tii ig hi m 


mondotor yj 


Sdn istrative purpose. in me no decisions are s made did the ^ iduals to MIROR the 
information relates. (This includes research, statistical, audit or & 1 ; 
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| AD. if any of the circumstances in a) b) or c) is applicable, ensure that it is reflected in the relevant 


- 6.3 AND, if the information is to be used solely for a non-administrative purpose (box c above has been 

2 checked), ensure that the requirements under sections 6.3.2 and 6.3.3 of the Directive on Privacy 
impact Assessment have been met, and that the decision of the official ai responsible for section 10 of 
the Privacy Act ta proceed with a CBSA PIA for the program or activity has been adequately 
documented in the description of the program or activity in “Section 1 - Overview and PIA Initiation” 
of the CBSA PIA. 


col ae di e Sim the indivi A or dede y with the consent tof ifie en idual. P Bs review 
the responses to Questions 4 and 5 and ensure that the "Privacy Notice" or the "Consent 
Statement" includes all of the required elements within C Ot : 


— Continue to Question 7 


LX All personal information is collected direct! ly from the individual to whom it relates, or from : 
another source with notice to, or consent from, the individual or a person authorized to act on behalf | 
of the indi ividual (see Questions 4 and 5 above). -> Continue to Question 7 | 


| Has Library and Archives Canada PEES a coe retention ? and PORUM schedule that applies to ii 
. personal information: ? (Consult information Manac Officials to d 
dispose the personal information and pro 
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Statutory reference: Section 12 of Library and Archives Canada Act, sections 5, 10 and 11 of Privacy Act and 
_sectic ion n4 of Privacy Regulations | 


Canada Border Services Agency 


7 1 X Please pipe the Record Di ispositic on Authori kd os) ang describe the retenti ion ano s 


74 [X 


CBSA - Released u iden Do mation Act. 


ASFC - Divul Austin 


Name of Program / Activity / Service : PLA 


: 
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Policy reference: Sections 6.1.3, 6.2.11 to 6.2.13 and 6.2.23 of Directive on Privacy Practices 000000000 
YES 


p: 


d retained 


LE 


$ for d SE fé: ar omm art Huge for fü Ve 


2 ied by — 
| CE r30 | years « or unti til a applicant aia age | 100: iis destroyed] ifthe Bm has been | : 
! designated as having enduring value, it will be transferred to the control of Library and Archives | 
| Canada. The reason for this long retention period is that the IRPA does not preclude foreign 
| nationals from reapplying for Ministerial relief even when the Minister has previously denied 
| them relief on one or more occasions. Each time, an applicant's past submissions and 
Statements given to government officials over the years, as well as any relevant historical 
| records such as previous decisions (including any prior MR disclosures and decisions) must be 
! reviewed and provided to the Minister in order for the Minister to render an informed decision 
that is legally sustainable. 


7. 2X AND, implement controls and procedures to ensure that personal information heed to make | a 


decision that directly affects an individual will be retained for a minimum of two years after the last 
administrative action or, where a request for access to the information has been received, until such 
time as EUN indiv /idual has had the opportunity to exercise all ee ri os ner the Act. (For 

impl formation must be i siete ed for atleast t CRSA AT ip 


'ed by eo Federal iip then the inforn 
i iis completed, and so on.) 


b |  Fnsure tor o provide! the "controls and S procedures, as an annex to this PIA** 


pauio prior to the expiration df the MANU minimum ss ion ‘andar establis shed bo "a 
Privacy Regulations, it must obtain the consent of the individual to whom the Herm ion bs 
EOF ae ing so. (This may occur if, for example, within the two year period it etermined that the 
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| AND, the CBSA must cite the RDA Busy ihe retention period and the disposition standards for the 
personal information in the relevant PIS. 


— Continue to Question 8 
NO 


| 7.5 | ] Provide a Records Disposition Submission to Library and Archives Canada describing the records 


containing the personal information for which the institution requires a RDA. 


| 7.6 |_| AND, obtain a RDA from Library and Archives Canada to allow the CBSA, under certain conditions, to 


dispose of records that no longer have operational utility for the program or activity. 


| 7.7 |] AND, ensure that all the other applicable requirements listed under "YES" at Question 7 are met. 


— Continue to Question 8 


Canada Border Services Agency 
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EE oo ooo ee ee ee welded eh et PR 


Will measures be adopted to ensure that personal information used by the CBSA for an administrative 
purpose is as accurate, up-to-date and complete as possible? 


Statutory reference: Sections 6, 10 and 11 of Privacy Act and sections 10 and 11 of Privacy Regulations 
Policy reference: Sections 6.1.1 and 6.2.9 to 6.2.16 of Directive on Privacy Practices 
YES 
| Please check any of the following measures that will be adopted to ensure accuracy of the personal 
egi and provide details as requested: 
8.1.1 X Personal information will be collected directly from the individual to whom it relates or it will be 
validated with the individual or a person authorized to act on behalf of the individual. 


reliable source' ' (within or ae de the n where thi is is AP M or ees consent \ was 
obtained 


: Details: Data matching between the applicant’s submissions and CBSA records will be done. 
| by matching the biographical and case data provided by the applicant to any already 

: existing immigration information in IRCC or CBSA case files relating to the applicant. These 
case files may also contain information from third parties. Information from third parties 

| collected for the purposes of administration of the IRPA will be used in the context of 

| Ministerial relief if the third parties agree to the use of their information for that purpose, 
and to its disclosure to the applicant. Information other than that which was provided 

| directly by the applicant, and that is used in the context of the Ministerial relief application, 
: is disclosed to the applicant. The applicant has the opportunity to make additional 
submissions, including consideration. Reconciliation of the information from an application 
| for Ministerial relief with existing case files can be achieved by matching available data 

| elements such as: name, date of birth, country of birth, country of citizenship, client 

| identification number, and case details. 


8.1.3 ar In cases s where direct collecti ion or consent is not feasible, the CBSA will obtain informatie ion nion 
trusted sources (public or private) and verify accuracy against existing personal information 
before use. 
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Canada Border Services us 


and procedures to ensure that: 

a) the technique(s) and the specific source(s) used to validate or update the personal information 
are documented; 

b) individuals are given the opportunity, whenever possible, to request correction of any inaccurate 
personal information before the information is used in a decision-making process that affects 
them; 

c) personal information can only be modified or corrected by those within the CBSA who have the 
authority to do so; 

d) when personal information is corrected or annotated, the record of personal information 
indicates the date of the last correction or annotation and the source of the information used to 
make the correction or annotation; and 

d) when personal information is corrected or annotated, other authorized holders of the E 
information are notified about the correction or annotation and that all copies of the information 
in the possession of the CBSA are corrected / annotated. : 


**Ensure to provide all relevant “controls and procedures" implemented as a result of the above 
_ requirements as an annex to this PIA®® | 


Will the personal information collected for the program or activity be used solely for the original purpose 
- for which it was obtained or compiled, a use consistent with that purpose, or a purpose for which the 
information was disclosed to the institution pursuant to subsection 8(2) of the Privacy Act? 


Statutory reference: Sections 5 and 7 to 11 of Privacy Act 

Policy reference: Sections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices, section 

6.2.15 of Policy on Privacy Protection and Section IV of Appendix C of Directive on Privacy Impact Assessment 
YES 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


| AND, ensure that the "Data Flow Diagram" or "Data Flow Tables" completed for “Section 4 — Flow of 
Personal information" of the CBSA PIA identify the areas, groups and individuals (e.g., the positions) 
within the CBSA who have a need-to-know to access to or handle the personal information, including 

graphical location and where the pe e stored or retained. (See 
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purposes) the CBSA will adhere to the requirements and principles in the CBSA Privacy Protocol For 
Non-Administrative Purposes (2012), in accordance with section 6.2.15 of the Policy on Privacy 
Protection, to address any impact that such non-administrative uses may have on privacy. 


- -> Continue to Question 10 
| **Ensure to provide the "controls and procedures" as an annex to this PIA** 


NO 


9.5 | ] AND, ensure that these 
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9.6 [] AND, include a description of these other uses in the "Privacy Notice" or "Consent Statement", as 
| appropriate, 


[ ] AND, ensure the all the other applicable requirements listed under "YES" at Question 9 are met. 
— Continue to Question 10 


Will personal information be disclosed for purposes directly related to the administration of the program or 
activity? (This includes, for example, disclosures to other program FRE A : 
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statutory reference: Sections 5 and 8 to 11 of Privacy Act. 


Policy reference: Sections 6.2.10, 6.2.11 and 6.2.13 of Policy on Privacy Protection, sections 6.2.1 to 6.2.3 of 
Directive on Social insurance Number, sections 6.1.9, 6.2.9 to 6.2.13 and 6.2.15 to 6.2.20 of Directive on Privacy 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Name of Program / Activity / Service PIA 
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Bus into ROUE Before nons Contracti ing Decisions 
YES 


10. 1 Please check all applicable boxes below and, for each di sclosure, identify the name of the 
organization or third party to which personal information will be disclosed. If it is disclosed within 
the CBSA, please identify the branch and the program or activi ity. 


10.1.1 | 


< wi ithin the CBSA for another program or acti ivity 


— Detail Informati on may be used to support other i immigration enforcement processes. 
| Shou d the applicant disclose new information that demonstrates misrepresentation on a 
previous application that lead to obtaining of status in Canada, efforts to vacate the 
| previous decis ion n may commence. 


10.1.2 | 


Detail: Other federal government i insti ituti ons are contacted when information 

- originating with those departments is within the case file of a person seeking Ministerial | 
relief, and consent from the originators of that information must be secured for the 

| information to be used in support of drafting the | 


linisterial relief recommendation. 

| Other federal government institutions are only contacted with respect to the information — 
| that those departments provided either to IRCC or CBSA in the past. Generally, third party : 
_ information is not disclosed to other federal government institutions that are not the | 
| originators of the information. Occasionally, in order to prevent inadvertent disclosure, 

: CSIS may be engaged to conduct a review when there is concern that a third party 

| document (e.g. IRCC report) contains national security-privileged information. The 

| Ministerial recommendation and supporting documents (including the applicant's 
submissions and the relevant information from the immigration case files may be provided 

| to DOJ for review to ensure compliance with administrative law and relevant : 
jurisprudence. DOJ is engaged on an as-needed basis, and could be asked to re-review the | 
| recommendation for the same applicant, if sufficiently significant changes are made or | 
| novel arguments are raised following disclosure of the recommendation to the applicant. v 


10.1.3 SA Nr Í, territorial or muni nicipal governments insti itutions 


. Detail: Reports from p provinci jal criminal justice and correctional authoriti ties may be 
| sought and used if an applicant has spent time in a provincial jail or detention facility. 


10.14 X F 


: “Detail: The ident ity of appli icants who have spent time in the U. s may be discl losed to the 
| _EBI’s NCIC to ascertain whether the applicant has a criminal record there. 


. Detal il: Informati ion ori sriginating with | INTERPOL may be present onan immigrati ion (IRCC or | 
| gus case fi me. im 9 ne M nisterk al il Reli er Unit wi isht toi susci that informati ion into — 
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| disclosure of its i 
- | into O in draft ing et recommendation. in B practice, a CBSA rarely h hasin its 
| possession, or discloses, applicant information from international sources. 


seem 


Detail (inis information is mandato: y 


10 2:1] AND, ensure that: 


a) any such disclosure is made in compliance with section 8 of the Privacy Act, which allows 
disclosures of personal information with consent of the individual to whom the information 
relates (subsection 8(1)) or without consent in certain and limited circumstances pursuant to 
subsection 8(2) of the Act; 


D) only personal information elements that are necessa ry for the intended purpose are disclosed; 


c) the organization or third party receiving the personal information is authorized to do so; 
d) administrative, physical and technical safeguards appropriate to the sensitivity of the informatio 
will be applied to protect the information duri ing and after its transmission (see Question 15]; 


e) the organization or third party to which the personal information will be disclosed for the 
admin Istratio on of the Tom Or activi D are ini edi in the "Consi stent call section in the 
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a a of E Md. PIA include details on the disclosed personal informatio on: (See Section 
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< AND, any disclosure of personal normat ion to another federal institution or outside the 
Government of Canada is governed by a formal | agreement or arrangement (e.g., a Memorandum of 
Understanding, an accord, a contractual arrangement, etc. ) to ensure that appropriate privacy 
protection clauses are included, and, where applicable, include provisions for inter-jurisdictional or 
transborder flows of personal information. Such n must cover the following topics: 


a) Control over personal information, where appropriate. 
b) Limitations on the collection, retention, use and disclosure of personal information 


c) Measures (administrative, technical and physical) to protect the integrity and confidentiality of 
personal information 


d) Measures governing the disposition of the personal information, where relevant 


e) Measures to ensure or verify that the personal information is only used for the purposes related 
to the agreement, arrangement or contract. 


Canada Border Services Agency 


ie 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


f) Obi igations are to be extended to other parti ies such as subcontractors. 
-> Continue to Question 11 


| NO 
10.4] ] There is no disclosure of personal information within or outside the institution for purposes that are 
directly related to the administration of the program or activity. 


— Continue to Question 11 


Policy reference: Sections 6.1.9 and 6.2.2 of ore Privacy Practices 
YES 
| 111 [X] Appropriate controls and procedures have been or will be implemented to ensure that: 


a) the head of the institution (The ATI and Privacy Director) or the appropriate delegate is notified 
about any new use or disclosure of personal information that is not reflected in the PIB 
description published in CBSA info Source; 

D) theconsent of the individual to whom the information relates is obtained in writi ing, as 
appropriate, prior to any new use of the information for an administrative purpose that is not 
reflected in the relevant PIE published in CBSA info Source, unless the new use is considered to 
be consistent with the purpose for which the personal information was obtained or compiled and | 
the Privacy Commissioner is notified, by the CBSA ATI and Privacy Director, forthwith regarding 
the new consistent use; 


c) Mind as ol itted under subsection ma ) of Privacy Act, "i disclosure of personal 


W will only i: made with the consent of the indi Sod to whom F informati ion mier 
d) arecord : dd I - new use or disclosure of — iris not PAM in p 


1, Organization or body 


"E E Ez "m. 3 

ee d IM" 

PPE PIS PPP SEPP EPP ir yy PU riggen 
fhe. FES ERS PPTL LPR Pe. VS LS IX 


a copy of the 


tion of ¢ exactly what | 


ej ifthe information is disclosed to a dei investigative body under paragraph 8(2)(e) of the | 
Privacy Act, the record of disclosure will be kept in a separate PIB for a P iod of two nes PAGE 
it will be available to the Pri Ton E for review upon request; í/e.g., Standard P 
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f) the ae Commi ssioner is notified, " (ha CBSA An and Privacy Director, DA th, as required id 
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"Ensure to provide the “controls and procedures" as an annex to this PIA** 
|. NO 


| 11.2 || P ease expla in why such controls and procedures will not be implemented 
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m Detail: CBSA policy requires that any new use or disclosure of the nn informatio 


a anne 


gu ) or di Both jt tliat are SE with res purpose for which the d on was 
obtai ned or compiled, as well as — routine Vina | or "d Gud Pi that do not fall within the 


id include disclosures of inge 


s fle); vend 

the Privacy Commissioner is dese En the ATI and Privacy Director, prior to or forthwith, as 
required under subsection 8(5) of the Act, about any disclosures made or to be made in the 
public interest or in the interest of the individual to whom the information relates. 


nadie HO 3i 5 


| that is not included in the relevant PIB published in CBSA Info Source be identified to ili 
| ATIP Coordinator, who will notify the Office of the Privacy Commissioner and update the 


| program PIB as required. 


= senate to y Queso 12 


Detail Provide adeque ate justification. 
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| The information contained in the SoS or similar analysis has been taken into account when assessing 


the level of risks to privacy in "Section 2 - Risk Area identification and Categorization” of the CBSA 


PIA. 


— Continue to Question 13 
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| **Ensure to provide the “SOS” as an annex to this PIA** 
NO 


| 12.2| | Please explain ai a 505 or similar analysis was not considered necessary to assess the sensitivity of 
: the informatio 


Detail: (This information is » mandatory) 


Statutory reference: Sections 7 and 8 of Privacy Act. 


Policy reference: Appendix C of Directive on Privacy impact Assessment and sections 6.2.17 to 6.2.21 of 
Directive on Privacy Practices, Policy on Government Security, Operational Security Standard: Management of 
information Technology Security (MITS) 

" 


Detail: [This in information is s mandatory] - 


13.2 ry AND, obtain assurances from the Gibts als Is responsible for the p program or activ uiy that the measures 
recommended in the assessment have been implemented to ensure the confidentiality, availability 
and integrity of the personal information. 


| 13.3 AND, ensure that any residual risks to personal information are known and accepted by the 
| executive or senior official responsible for the program or activity and the Head or delegated 
authority for the Privacy Act. (ATI and Privacy Director) 


— Continue to Question 14 
NO 


13.4 [X] If a TRA or similar security assessment is underway, simply reference that fact in the space below and | 


ingi cate when it is likely to be compl leted. f there i is no intent to complete one, please explain 


| Detail: Submissions collected asa result of the application for relief are not saved in electronic 
_systems. 


Canada Border Services Agency 


CBSA - Released u iid oe mation Act. 
ASFC - Divu AG vertu de la i ur l'Accès à l'information 


Name of a i ba i ROI / Servic PIA 


JO THYISOSI 


| information. {$ 


[omms Pho nature of ff hg onm ES 
OMG Tne TENUE OF Cre TIE Qi ui 


PCT Meer 1 
RTS Pe UP 
diislidiitu. 


MOTEL 1! with IDOL 


Statutory reference: Sections 7 and 8 of Privacy Act 


Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 of 
Directive on Privacy Practices, Policy on Government Security, Operational Security Standard: Management of 
information Technology Security {MITS} 


Please check all that apply, including safeguards identified by the TRA or similar security assessment. 


14. 1 Admi nistrative safeguards 

X] Internal security and privacy policies and procedures 

X] Staff training on privacy and the protection of personal information 

^X. Screening and security checks of employees 

X| Appropriate security levels for employees who will have access to personal information 


| Contingency plans and documented procedures in place to identify and respond to security and 
privacy breaches, and to communicate security violations to the data subject, law enforcement 
authorities and relevant program managers 


| Regular monitoring of users’ security practices 


[X] Methods to ensure that only authorized personnel who need to know have access to personal 
information 


| Restricted access areas 

X Security guards 

Identification badges are worn by staff at all times 
(| After hours alarms and monitoring systems 
[X] Locked filing cabinets 

[X] Combination locks 

| Safes 

| Cipher locks 

[X] Key cards 

Video surveillance (closed-circuit television) 
| Secured server locations 

| Backups secured off-site 
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X| Passwords ae nimum of 6 characters long, include alpha and numeric characters) 
| Passwords are changed by users every 90 days and recently used passwords cannot be re-used) 
Password protected screensavers 


SA Session-time out security (automatically locks an account after a session has been idle for a 
specified amount of time) 

<] firewalls 

x Intrusion Detection System (IDS) 


| Virtual Private Network (VPN) 
| <x Encryption of sensitive information 


Government of Canada Public Key Infrastructure Certificates (PK!) 
| External Certificate Authority (CA) 


— Continue to Question 15 


**Ensure to provide the “controls and procedures" as an annex to this PIA** 


Will the information system(s) used to deliver the program or activity employ too devo or atten on n | 
| technologies to collect personal sana gout users and their TUIS MCHOIRK input to this section should | 
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rivacy Regulations 


Statutory reference: Sections 4 to 10 of the Privacy Act and section 4 of P 


Policy reference: Subsections 6.1.1, 6.1.3, 6.1.9, 6.2.9 to 6.2.13, 5.2.17 and 6.2.23 of Directive on Privacy 
Practices 
YES 


as 1 || The specific tracking technologies to be used is adequately described under Part 6: Technology ane 
Pri me) of “Section 2- Risk Area 2 ee dea we FC oe SP the iod PIA; (For example, the - 
pa E m MAE E nd time of logon, logout, —— 


" ; dus ais t0 &ii ipport 


EE 


for a period of two 
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15.2 AND, the collection of any personal information using such technologies is reflected in the relevant 
| 1B ir n "Section du - Analysis 9f FERON Preman Elements" is the CBSA PIA; 
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Name of Program / Activity / Service | PIA 
j 


adequately reflected in the "Privacy Notice"; 


15.4| | AND, those responsible for implementing and using tracking technologies to collect personal 

: information or who may have access to personal information collected through these methods are 
2 made aware of privacy and security policy requirements: 

| 15.5| | AND, where personal information collected through such tracking technologies is used to make a 


decision that directly affects the individual to whom the information relates, it will be retained for a 
minimum of two years after the last administrative action as required under the Privacy Regulations. 


-> Continue to Question 16 
NO 
15.6 Tracking technologies are not used to collect personal information about users. 


| Will the new or modified program or activity result in new or increased surveillance or monitoring of a 
targeted population? (input to this section should be coordinated with and reviewed by the CBSA ~ IT - 


E 


: P Ag qe 9 i 
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Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of the 
Charter of Rights and Freedoms 


Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices 
YES 


targeted population and the scope of the surveillance or monitoring are adequately described under 
Part 6: Technology and Privacy of "Section 2 — Risk Area Iden tification and Categorization" of the 
CBSA PIA, 


| 16.3 | ] AND, any personal information collected or created as a result of such surveillance or monitoring is 

| described in the relevant PIE and in Section 3 — Analysis of Personal Information Elements" of the 

| CBSA PIA. 

| 16.4[ | AND, the collection or use of personal information through surveillance or monitoring is adequately 

: reflected in the "Privacy Notice", unless such notification might result in the collection of inaccurate 
information or defeat the purpose or prejudice the use for which the personal information is 
collected. 


| 16.2 L| And, ensure the surveillance or monitoring method(s) to be used, the characteristic(s) of the 
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nformation collected or created through these methods are made 
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aware of privacy and security poli icy requi irements. 


~> Continue to Question 17 
NO 


| Does the program or activity involve compliance/regulatory investigation or law enforcement, surveillance 
| or intelligence gathering that targets specific individuals against whom penalties, criminal charges or 
| sanctions may be applicable? 


Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of the 
Charter of Rights and Freedoms 


Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices 
YES 


| Consult with your legal advisors to determine whether or not the compliance/regulatory 
investigation or law enforcement activities raise any issues relating to the Charter of Rights and 
Freedoms, the Privacy Act or other applicable acts. 


SZ AND, identify the legislative authority and the specific regulatory or law enforcement purpose 
involved: 


| Detail: Information provided bya person in n support ofa an n appli ication for Ministerial relief is 

| collected under the authority of subsection 15(1) of the IRPA. Drafting a recommendation for 
: the Minister of Public Safety and Emergency Preparedness requires assessing the applicant's 

| submissions within a context of the immigration information in the possession of both IRCC 

: d the CBSA. As part of this analysis, the MRU may identify cases in which applicants may 
have provided information contradictory to what had been previously provided in the context 
| of advancing other applications. Where an MRU analyst believes such contradictions might 

| rise to the level of misrepresentation, the inconsistencies may be brought to the attention of 
CBSA or IRCC enforcement officers to determine whether any proceedings relating to 

- misrepresentation, or the vacation of refugee protection status, are warranted. 


a 3 a AND, if the legislative authority di differs from the legal authori ity for the program or activ Vil. ensure i 
is adequately reflected in the response to Question 1 of "Section 5 — Privacy Compliance Analysis" 
and in “Section 1 — Overview and PIA initiation “of the CBSA PIA. 


: 17.4 AND, any personal information collected or created as a result of such regulatory or criminal 
: enforcement, surveillance or intelligence gathering program or activity is described in the relevant 
PIB and in "Section 3 — Analysis of Personal Information Elements” of the CBSA PIA 


X] AND, the collection or use of personal information through these compliance / regulatory 
investigation or enforcement activities is adequately reflected in the "Privacy Notice”, unless such 
notification might result in the collection of inaccurate information or defeat the purpose, or 
prejudice the use, for which the personal information is collected. : 
|_| If notice about the compliance/regulatory investigation or law enforcement activities will not be 
provided. : 
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| The program or activity does not involve the conduct of regulatory or criminal enforcement, 


17.6) 
| surveillance or intelligence gathering. 
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Risk One - Over-Collection of information: 


With the Ministerial relief program, there is risk of the over-collection of information, as applicants may 
choose to provide information that has not been requested or required by the CBSA. Because an 
applicant may not know which elements of their particular circumstances the Minister of Public Safety 
(“the Minister") may find compelling, and given that "national interest" is not a legally-defined or static 
concept, there is a tendency for applicants to submit a broad range and high volume of material. By the 
nature of the "legal test" applicable to Ministerial relief assessments (the onus is on the applicant to 
satisfy the Minister and not the contrary), applicants are not precluded from providing any information 
they may wish with the goal of satisfying the Minister that granting relief would not be contrary to the 
national interest. An example of this is the applicant's Social Insurance Number. Despite the CBSA not 
requiring this information, applicants often choose to submit documents which contain it. 


Mitigation: 


The over-collection of information will always be a risk that requires managing. Due to the bc test" 
applicable to MR assessments, it is not possible to develop a comprehensive list or other similar 
limitation on the type of information that an applicant may provide toward their application. 


However, the MR form may help streamline future applicant submissions by means of standardizing 
certain information required or recommended to be provided to the CBSA at the outset — though an 
applicant may still choose to provide any additional information or documentation for the Minister to 
consider at any time. Administrative law requires that all submissions made by an applicant be put 
before the decision maker for consideration, regardless of the degree of their relevance to the national 
interest assessment. Furthermore, as MR decisions are subject to judicial review, the complete 
submissions of an applicant need to be included as part of the certified tribunal record in the event that 
the applicant litigates the MR decision. 


Risk Two — Unauthorized Exposure or Loss of information Collected: 


MR applicants submit hard copies of their submissions and physical | files are held by the MR unit. With 
physical files there is the risk that sensitive information is left out in the open, or could potentially be 
misplaced. Additionally, due to the approval process that MR files are subject to, many employees at 
different offices within the CBSA may come into contact or have access to case-related information. MR 
applicants also provide information and submissions to, and correspond with, the MR unit by email. 
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Name of Program / Activity / Service | PIA 
Mitigation: 


In order to mitigate such risks, the MR unit has filing cabinets secured by combination locks. MR unit 
employees are also provided with security awareness training at regular intervals and are aware of 
security and privacy policies and procedures. This training also applies to all employees who would 
come into contact with MR application packages and decisions through the approvals process: Director's 
Office, Director General's Office, Vice-President's Office, President's Office and the Minister's Office. 


Any electronic records or personal information of the applicants are kept within the CBSA's secure 
network or accessed via the CBSA's secure network. in the event a computer is left unattended with 
sensitive information on the screen and/or readily accessible, the computer will time out and lock, 
requiring a password to re-enter. Additionally, all computers are housed on a secure floor requiring a 
key card to enter. 


The CBSA is transitioning to Apollo, an Agency-specific form of the new Government of Canada 
electronic document and records management system called GCDOCS, which will replace personal and 
shared drives and email archives by a single corporate document repository. Apollo allows the 
safeguarding of information by restricting access and designating permissions to individual folders, and 
the electronic holdings of the MR Unit will be very strictly controlled. in addition, all staff must complete 
mandatory biennial information security training. The transfer of client records held in email archives 
has already begun and it is a program priority to complete the full transfer within the 2017-2018 fiscal 
year. 
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T DOCUI JENTS LIST 


| SECTION 7 - SUPPLEMENTAI 


List all supplementary documents that support the conclusions of this CBSA Privacy Impact Assessment. 
For each document, cite the specific sections of the documents (subject, chapter, page, paragraph, etc.) 
that correspond with the CBSA PIA and link them to the PIA sections. 


2 Appl cation for Mee ion of Relief Under Entire document ES ion 3 
Subsection 42.1(1) of the IRPA (BSF 766E) | 


"E 3. Privacy Consent statement for form BSF765E Entie document Sections 55,58 — 
4, Amended Regulations, Ministerial Relief Enti ire document | Sections 1.10, 5.1 
Program. | 


Additional documents used or related to the CBSA PIA may include: 
e Project and Product Scope 


se Business Case / Project Charter 

e Business Requirements 

e Threat Risk Assessments 

# Risk Management Plan 

e Contracts / Memoranda of Understanding / Agreements 
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: The following signature represents a The following signature represents a commitment 
| commitment to comply with sections 4 to 8 of by the Head of the institution or his/her 

| the Privacy Act and the related privacy policy delegate(s) who is responsible for establishing 
requirements outlined in the CBSA PIA as they personal information banks in accordance with 
relate to the administration of the identified section 10 of the Privacy Act. 

program or Acti i 


X X2 


p 


| Signature of CBSA Vi 
| program or activity 


| Date mE Date 


| Note: Responsibility for sections 4 to 8 of the Privacy Note: Under the Privacy Act, the Head or his/her 

| Act rests with all employees of government delegate(s) is responsible for complying with legal and 
institutions that handle personal information. Officials relevant privacy policy requirements related to the 

. who manage such programs and activities are approval and registration of personal information 

: responsible for ensuring that such requirements are banks 

- implemented as part of the administration of the 

| program or activity. 
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Action required to support legal and policy compliance 
(cross reference to relevant question of Section 5 — Privacy 
Compliance Analysis) 


Legal authority for the program or activity has been established and is 


reflected in the relevant PIB. 


a) The categories and elements of personal information to be 
collected for the new program or activity have been carefully 


assessed based, for example, on the CBSA's experience gained with 


the administration of a similar program or activity. The personal 
data collected will be limited to only that which is required.) 


b) Categories and elements of personal information have been 
described in the relevant PIB for the program or activity. 


c) Controls and procedures will be implemented to ensure the CBSA 
does not collect more personal information than necessary for the 
program or activity and that a continuing need exists for the 
personal information and its collection. 


a) All of the requisite "Privacy Notices" and "Consent Statements" 
that meet the requirements of sections 6.2.9 to 6.2.12 of the 
Directive on Privacy Practices have been drafted. (Texts of the 


notices anes ud sate ens must Bed Mio a: e as an annex.) For 


BY ipn 
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ofi ndivi des consent and to ensure that persons acting on behalf 
of individuals who do not have the capacity to provide consent 
have the authority to do so under section 10 of the Privacy 
Regulations. 


a) A Records Disposal Authority (RDA) has been a by Library 
and Archives Canada to authorize the disposal of the records 
containing personal information for the program. 


b) Controls and procedures have been implemented within the 
program or activity and the CBSA ATI and Privacy Division to 
ensure that information that has been used for an administrative 
purpose will be kept for the minimum retention period 
established by the Privacy Regulations. 


.€) Reference to the RDA, the retention period and the disposition 


standards for the program have been cited in the relevant PIB. 
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Privacy Action required to support legal and policy compliance Done Tobe 
Compliance (cross reference to relevant question of Section 5 — Privacy . done 
Analysis question — Compliance Analysis) 
8 Controls and procedures are in the process of being implemented to | 
ensure that the personal information associated with the program is À: 


as accurate, complete and up-to-date as necessary. 


Other Privacy Considerations related to specific principles that are not explored in the previous 17 sections: 
(these considerations should be explored in the Executive Summary) 


Openness Describe how the results of any pri geo Ab sat assessment or audit 
will be made available to ME public. xi TE 
pi ibi ished ion the extern: nr 


a; 


+ 


Me i an RAF .cbsa-asic.gc 


EU 
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Are policies and practices relating to the proposal's management and 
handling of personal information available to the public? 


is there a communications plan to explain to the public how personal 2 
information will be managed and protected? 


Is there a clearly defined and easy process for individuals to access 
such information and/or communicate with appropriate individuals 
with respect to policies and practices relating to management and 
protection of personal information? 


Where appropriate, will public consultation take place on the privacy 
implications of the proposal? 


individual's Access Is the system designed to ensure that an individual can have access to | 
to n m deles information, n all other programs or 


Personal information 


Are there documented procedures developed or planned on how to 
make privacy requests or requests for the correction of personal 
information? s. 12 (2) 


Are individuals provided with access to their personal information in ne 
the official language of their choice? s. 17(2) - 


If appropriate, are individuals provided with access to their personal 
information in an alternative format? s. 17(3) 


Challenging Are the complaint procedures for the proposed program or service | a 
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Privacy _ Action required to support legal and policy compliance . Done 
Compliance —— (cross reference to relevant question of Section 5 — Privacy : 
Analysis question _ Compliance Analysis) 
# 

Compliance consistent with legislated requirements? s. 29-35 
To improve information management practices and standards, has a a 
procedure been established to log and periodically review the nature, 
frequency and resolution of complaints? 
Are there oversight and review mechanisms implemented or L 

available to ensure accountability? 

Have oversight agencies, including the Office of the Privacy 


Commissioner, issued reports or opinions on issues that would be 
relevant to the proposal? 
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| Annex | 


Office of the Privacy Commissioner Expectati ions 


in their March 2011 document, Expectations: A Guide for Submitting Privacy Impact Assessments to the 
Office of the Privacy Commissioner of Canada, the Office of the Privacy Commissioner (OPC) has 
expressed the importance of analysing the risks of the project, program or initiative against the ten 
universal privacy and fair information practice principles of the Canadian Standards Association Model 
Code for the Protection of Personal Information. 


The most relevant demonstration of the privacy risk and compliance analysis is the action plan. The OPC 
has said the following in their Expectations guide with respect to the action plan 


Once privacy risks and their proposed mitigating measures have been identified, we expect to 
see an Action Plan drawn up by the institution, indicating a specific time frame for remedying or 
mitigating the risks that have been identified, and if possible, naming a specific person or staff 
position accountable for taking action 


The action plan must list all privacy risks and compliance issues identified in the PIA and supplementary 
documentation. All risks and issues must be organized by the 10 universal privacy principles. 


All recommendations and proposed mitigation strategies must also be described in the action plan. 
identify the responsible dedu) area and the timeline for completion or implementation of the 
strategy. The ATI and Privacy Division will provide programs with an action plan template to be 
addressed near the end of the PI A process. 


The expectations of the OPC for each privacy principles are included below for your reference. 


Accountability 

Under this principle the OPC would expect to see documentation of an administrative structure for 
privacy, including input from legal services, access to information and privacy and information 
technology branches within an institution, with defined processes for determining when new projects 
require PIAs, for carrying them out, implementing mitigating measures and auditing for assurance of 
compliance. We expect PIA reports to be signed off at the appropriate level, and that training in privacy 
issues and procedures has been documented and is refreshed with employees regularly; and that 
privacy protective language is included in all contracts with third parties handling personal information 
in accordance with TBS guidance documents and internationally accepted best practices; and that 
regularly scheduled privacy compliance audits will be undertaken and the findings acted upon. 


Identifying Purposes 

The Privacy Act restricts federal government institutions to the collection of personal information that 
relates directly to an operating program or activity of the institution, so we would expect to see a clear 
description of the program and why each piece of information is needed; a description of the legislative 
authority for the collection; a clear listing of all the data elements collected; copies of any relevant 
documents such as application forms identifying the purpose for the collection or on-line notices of use; 
a copy of an up to date Personal Information Bank (PIB) description; a statement of any proposed new 
consistent use of information previously collected and a clear rationale as to how the use is reasonable 
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and directly connected to the original collection -- this may include an analysis of how an individual to 
whom it relates would reasonably expect it to be used for that purpose; a statement outlining any 
intended secondary uses of the information; whether the information is collected directly from the 
individual and if not, why; and a description of how personal information used for planning, forecasting 
or statistical purposes would be anonymized or de-linked from individual identifying information. 


Consent 

This is closely tied to the Identifying Purpose principle. Under this principle, OPC would expect to see a 
copy of notification language on forms or websites; a clear description of the purpose for collection; a 
rationale for not seeking consent, as is provided for in the Privacy Act; for web sites, a copy of the 
Privacy Notice Statement under which personal information is submitted to the institution. 


Limiting Collection 

Under this principle, OPC would expect to see a clear justification of the need for each data element 
collected, in keeping with the requirement of the Privacy Act that no personal information is to be 
collected by a government institution unless it relates directly to an operating program or activity of the 
institution; an indication that a data minimization exercise has been undertaken to ensure that each 
data element is necessary and that this exercise will be refreshed regularly; and that information 
collected from another department for a secondary use will be purged of all but the essential data 
elements before use. 


Limiting Use, Disclosure and Retention 

Under this principle, OPC would expect to see a description of the specific uses and proposed 
disclosures of the information; a clear statement limiting the use of the information to the purposes 
identified; a clear retention policy and disposition schedule that is also noted in the PIB; a process for 
destruction of the information that is in keeping with the Privacy Act and Regulations; copies of MOUs 
or agreements with third parties to whom information is disclosed governing its use, retention and 
disclosure, and clauses with contractors or sub-processors of information indicating the originating 
institution has the right to audit for compliance with privacy provisions. 


Accuracy 

Under this principle, OPC would expect to see a description of the process used by entities to ensure 
accuracy, particularly when administrative decisions are made; a description of how changes to records 
are logged and monitored; a statement of whether automated decision-making based on risk profiles is 
being undertaken and how automated decisions are vetted for accuracy; an explanation of the 
processes open to individuals seeking to correct information; a description of the process by which 
second or third parties to whom information has been disclosed will be notified of changes and 
corrections to the record; and a description of how audit trails of records transactions are monitored 
and evaluated. 


Safeguards 

OPC would expect to see under this principle a description of the physical and electronic safeguards that 
are in place to protect information; a Threat & Risk Assessment (TRA) with emphasis on privacy risks and 
concerns and a discussion of how these concerns have been remedied or addressed; a notation that 
encryption is used for personal information both in transit and at rest; a description of how system logs 
of information transactions are monitored for inappropriate use, including viewing of the information; 
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policies for the use of portable storage devices such as flash drives; a description of role-based access 
controls; and a description of the steps taken to ensure complete destruction of the information at the 
end of its life cycle. 


Openness 

Under this principle, OPC would expect to see a summary of the PIA written in plain, understandable 
language, posted on the institutional website in a manner accessible to the general public and 
containing a link to the relevant PIB description in CBSA Info Source; for particularly sensitive or privacy 
invasive programs we would expect to see the public communications plan described in the PIA, 
including a variety of methods such as posters, brochures and media announcements as well as detailed 
discussion of the PIA in the institution's Annual Report under the Privacy Act; a description of 
consultations with key stakeholders and the privacy risks or concerns raised should be readily available 
on the website; the name and contact information of an individual accountable for the handling of 
personal information should be easily obtained through the website or by calling the institution's main 
public number. 


individual Access 

Under this principle, OPC would expect the PIA to include a description of any informal process the CBSA 
may have in place for access to and correction of personal information; an up to date and 
comprehensive description of information contained in the PIB corresponding to the initiative; a 
description of the process by which information in the hands of third parties is corrected following 
requests; a description of how the general public is made aware of these processes, for example, by a 
link and/or a toll-free number shown on the home page of the institutional website. 


Challenging Compliance 
OPC would expect to see the PIA address this principle by indicating clearly who is responsible for 


similar activity or pilot project and how they were handled; including privacy issues in project 
evaluations or feasibility reports; describing how and when compliance audits for privacy will be 
undertaken; including information on how to file a complaint with OPC under the Privacy Act; and 
reporting in some detail on specific and/or systemic privacy issues in its Annual Reports. 
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: "Annex C. Categories of Personal Informatio 


The Description section in a personal information bank (PIB) describes the personal information 
in the records to which the bank relates. Treasury Board Secretariat has established the 
following categories of personal information, which give examples of specific elements of 
personal information that fall under each category. The purpose of the categories is to reduce 
the number of personal information elements that need to be listed in the Description section 
These categories are representative of the personal information col Td idi most institutions, 
and they now appear in dtd of the CBSA regi iiid PIBs. The ATI and Privacy Division 


modified the original list to | reflect CBSA business Hines. 


Biographical information (e.g. work history, curriculum vitae, family informatio 
Passenger Information, etc.) 
Biometric information (e.g. blood type, eye or facial scan, DNA, finger / hand prints, etc.) 
Contact information (e.g. work and / or home information, including postal and e-mail 
addresses, telephone, fax, cell phone numbers, etc.) 
Citizenship status or Nationality (e.g. citizen, landed immigrant, etc.) 
Crew detailed information 
Criminal checks / history (e.g. information related to criminal record checks, 
investigations, charges, conviction dates and locations, pardons, etc.) 
Date of birth 
Date of death 
Destination City 
Employee identification number (e.g. Personal Record Identifier) 
Employee personnel information (e.g. records of attendance and leave, notices of 
disciplinary action, alternative work arrangements, decisions concerning compensation 
and fitness for work, official languages qualifications, salary, deductions, level of security 
clearance, performance reviews and appraisals, rating board assessments, including 
evaluation notes from staffing boards, training and development course applications 
and evaluations, etc.) 
E-Ticket information 
Financial information (e.g. income, investments, mortgages, loans, orders of 
garnishment, financial institution information for direct deposit and other banking 
purposes, including name and branch number of institution, account number(s) and 
name(s) on accounts, etc.) 
FOSS Case Number 
Gender 
Itinerary Citie 
Language [on : mother tongue, official and other languages, etc.) 
Medical information (e.g. psychological assessments, blood type, etc.) 
Name (e.g. last name (surname/family name), given names (first, second or more), 
maiden name, nicknames, aliases, etc.) 
Opinion or views of, or about, individuals 
Passenger Name 
Passport Number or Travel Document Number 
Place of ticket purchase 
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Photos 

Physical attributes (e.g. height, weight, color of hair and eyes, physical markings (scars, 
tattoos, body piercing), etc.) 

Place of birth 

Place of death 

Port of Embarkation and Port of Debarkation 

Signature 

Special Travelling Considerations such as Employee Pass, Buddy Pass and Parental 
Passes 

Visa Number 
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| EXECUTIVE SUMMARY 


Scenario Based Targeting 


The Scenario-Based Targeting (SBT) initiative is aligned with the Canada Border Services Agency's [CBSA] 
border vision and the Government of Canada's commitments under the Beyond the Border Action Plan to 
address threats earlier to enhance our security and accelerate the flow of legitimate goods and people. This 
initiative is an important part of the Beyond the Border declaration, negotiated between Canada and the 
United States (US) in 2011, whereby Canada committed to implementing a harmonized methodology for the 
screening of all travellers. 


The CCRA implemented the Advance Passenger Information (API)/Passenger Name Record (PNR) program in 
October 2002 mandating the collection of prescribed information from commercial air carriers to identify 
persons who are or who may be involved with terrorism or terrorism-related crimes or other serious crimes, - 

including organized crime, that are transnational in nature. In 2003 and 2004, the CBSA established the High- 
Risk Traveller identification Initiative (HRTI) jointly with the United States Customs and Border Protection (US - 
CBP) to extend the API/PNR program to identify high-risk air travellers. Both parties agreed to implement a risk 

scoring methodology within their automated passenger systems to conduct risk assessment of unknown nigh- 
 fisk air passengers flying into their respective countries. 


| After an extensive analysis of the risk scoring methodology and the continued commitment to comply with - 
agreements made with the US CBP, the CBSA undertook the replacement of risk scoring functionality with - 
scenario-based rules functionality on a limited basis. In January 2010, the Executive Policy Committee 
approved the implementation of a long term solution for SBT within the Passenger Information System - 
(PAXIS). 


SBT-related enhancements to PAXIS will increase the efficiency, effectiveness and accuracy of the Targeting | 
Officers otherwise manual and labour-intensive work, and thereby help facilitate the more efficient 
movement of legitimate people while safeguarding the border and the security of Canada. The enhancements - 
also dramatically reduce scenario deployment times and costs enabling the CBSA to respond to imminent - 
threats. 


The scope of the SBT project is to make changes to PAXIS, previously using a risk scoring methodology, to 
| scsi nes à SRenare basea a to d the eae 7: oe, stip ee lien 
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The SBT project and methodology is subject to the Customs Act, sections 7.1, and 107.1, the Immigration and - 
Refugee Protection Act, paragraph 148(1)(d) and 149, the Immigration and Refugee Protection Regulations, 
Section 269, and the Passenger Information (Customs) Regulations, Protection of Passenger Information 
Regulations. | 


The Pre-Border Programs Division of the CBSA is undertaking the replacement of risk scoring functionality with 

_scenario-based rules functionality using API/PNR information that are processed and maintained in PAXIS. The | 
scope of this Privacy Impact assessment (PIA) is limited to assessing privacy risks associated with the - 
deployment of the SBT methodology. 


This PIA is an appendix to the overarching API/PNR Program PIA along with the High-Risk Traveller 
Identification Initiative (HRTI) PIA. : 


This PIA Report identified one minor privacy risk related to the API/PNR Program Personal Information Bank 
(PIB) in the manner in which it currently reflects risk scoring, rather than SBT methodology and does not fully - 
reflect statutory authorities for use of the personal information. This risk will be mitigated or eliminated when the - 


API/PNR Program PIB will be updated for March 2014. 


Right of Access | 

An individual may formally request access to their personal information, or access to corporate records related - 

to or created by scenario based targeting, by contacting the Access to Information and Privacy Division. More - sri 
information about this can be found at: http://www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia- — | 
efvp/atip-aiprp/menu-eng.html. 


Accountability : 
If an individual has concerns about the collection, use, disclosure or retention of their personal information, 
they may issue a complaint to CBSA Access to Information and Privacy Division. Complaints should be made in 

writing, and include the individual's name, contact information, and a brief description of their concerns. - 
Contact information for the Access to Information and Privacy Division at the CBSA can be found at. 
http://www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia-efvp/atip-aiprp/contact-eng.html. 
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| DEFINITIONS 


This section provides definitions of the terms frequently used in this report: 


~ + The Action Plan describes the steps that the EM will take to address privacy risks that 
: have been identified by CBSA and the OPC. 


| The privées Act defines an "administrative purpose" to be the use of an individual's 
personal information i in a a decisi ion- making process that directly affects that individual. 


API includes: 
e surname, first name and initial or initials of any middle names; 
œ date of birth 
* the country that issued them a passport or travel document or, if they do not have a 
: passport or travel document, their citizenship or nationality; 
+ their gender; 
^* their passport number or, if they do not have a passport, the number on the travel 
: document that identifies them; and 
^* their reservation record locator or file number 


| Confidentiality The Policy on Government Security (2009) defines ' ‘confident ality” to be the a 
| _ characteristic applied to information to signify that it can only be disclosed to authorized 
| individuals to prevent injury to national or other interests. 


: Consistent use — Isa use that has a reasonable and direct connection to the original purposes ) for which the | 
| . information was obtained or compiled. This means that the original purpose and the | 
| p: Wopaseop purpose are so Ar related that the indiv ud vous isch that 


. Data Matching  Acomparison of personal information obtained from a variety of sources, including 
. personal information banks, for administrative or non-administrative purposes. Data 
matching is a specialized activity involving the collection, use and disclosure of personal 
| information that is subject to the various requirements of the Privacy Act. 


| info Source  Aseties of annual Treasury Board Secretariat publications in which government institutions 

: are required to describe their institutions, program responsibilities and information 
: holdings, including Personal Information Banks (PIBs) and classes of personal information. 
- The descriptions are to contain sufficient clarity and detail to facilitate the exercise of the 
tight of access under the Privacy Act. Data-matching activities, use of the Social Insurance 
. Number (SIN) and all activities for which privacy impact assessments were conducted have 
to be cited in info Source PIBs, as applicable. The Info Source publications also provide 

| .. contact information for government institutions as well as summaries of court cases and 

| statistics on access requests. 


tre | The NTC is responsible for ensuring national security by detecting Land interdicting the 

: movement of high-risk people and goods. It operates 24/7 and acts as a focal point 
| between international, national and local law enforcement agencies to protect Canada 
_ from emerging threats. 


j Information regarding a persons’ travel itinerary, contained within a commercial carrier's 
IP. reservation system, created once a person makes a reservation. It includes: 


* Name 
* Any collected API 
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e. Date of intended travel 
Date of reservation 
Date of ticket issuance 
Travel agencies 
Travel agent 
Contact telephone information 
Billing address 
Ail forms of payment information 
Frequent Flyer Information 
Ticketing Field information 
Ticket number 
Split/divided PNR Information 
Go show information (ticket purchase without a reservation) 
No show information 
All travel Itinerary Information 
Standby information 
Other names on PNR 
Check in information 
Bag tag numbers (Baggage information) 
S Seat information 
o * Seat number 

o + One way tickets 


* 9 9$ ù + 9 © —9 (9 6 € € 9 @ 


+ 


"o 0 mformation about an identifiable individual as defined in section 3 of the Privacy Act. This 

|. . definition, although lengthy, is not exhaustive, as indicated by the introductory phrase, 

. . . "including, without restricting the generality of the foregoing". Information that is not 
—.. specifically mentioned in the list may still be included in the definition of personal 

— information if it qualifies as "information about an identifiable individual". 


. A description of personal information that is organized and retrievable by a person's name 

_ or by an identifying number, symbol or other particular assigned only to that person. The 

| personal information described in the personal information bank has been used, is being 

.. used, or is available for an administrative purpose and is under the control of a government 


institution. 


The Office of the Privacy Commissioner of Canada describes "privacy" as ^... the right to 
- control access to one's person and information about one's self. The right to privacy means 
that individuals get to decide what and how much information to give up, to whom it is 
given, and for what uses." The Treasury Board Secretariat s Directive on Privacy Practices 
(2013! defines privacy to be "the right of an individual to be left alone, to be free of 


E oS v | - associated to a pattern. Values were assigned to specific information elements found 
within API PNR records. When PAXIS processed a traveller's API PNR record against the risk 
— patterns, the values of matching elements found accumulated to a total score. If the total 


(.. PAXIS contained four (4) risk templates which highlighted various information elements 
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| four (4) establ ished risk patterns, it was considered to be a high risk score. Those travellers 
were then provided to NRAC Targeting Officers for review. 


Scenario . For each passenger travelling to Canada information is assessed against scenario criteria 
and elements to determine whether a traveller may be suspected of being high-risk and 
may require closer scrutiny. The critería and elements are derived from analyzing 
enforcement information, tactical and operational enforcement information as well as 
intelligence information from law enforcement partners 


| Scenario based targeting is the application of a risk assessment meddle to identify 
high risk travellers whereby each scenario represents a specific combination of indicators of 
_ : risk, Scenarios do not generate a cumulative score; rather, when a traveller's information —— 
_ matches all the criteria and elements of a scenario, they are considered to have potential 
risk whi ich requires review by a targeting officer. 


Target | The product of the targeting process that alerts appropriate CBSA personnel of an 
impending Ga risk to national security and/or adds ic safety ad orties. 


Targeting _ The process of identifying suspect high-risk people, goods and conveyances through a 
_ deductive reasoning process that utilizes intelligence products and technology to alert 
: appropriate CBSA personnel of an impending suspected risk to ensure the interception of 
people, goods and conveyances that pose a risk to national security, including those 
: related to public stety priorities. 


- A CBSA employee that identifies suspect high-risk people, goods and conveyances through 
3 the established targeting process and generates a target to alert appropriate CBSA 
| personnel of an impending suspect risk to national securi ity and/or public safety priorities. 


This report is a Privacy Impact Assessment (PIA) for the SBT methodology within the risk assessment and 
targeting program of the CBSA. The objectives of this PIA are: 


to review the SBT business processes in order to identify the flow of personal information; 
to analyze the collection, use, disclosure and retention of SBT-related personal information; 
to determine if there are privacy risks associatec with SBT methodology; and, 

to provide recommendations on the mitigation or elimination of any resulting risks. 


* » * $ 


The information presented in this report follows the Treasury Board of Canada Secretariat (TBS) 
Directive on Privacy Impact Assessment (2010). 


The purpose of a PIA process is to ensure that privacy is considered throughout the project development 
cycle. The results of a PIA are a documented guarantee that privacy issues have been identified and 
adequately addressed. uc 


Government Institution: Canada Border Services Agency, Pre-Border Programs Branch 
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Government Official Responsible for the Privacy Head of the government institution / Delegate for 
impact Assessment section 10 of the Privacy Act 
CBSA Vice President Programs Branch CBSA ATI and Privacy Director 


Approach to the Report 

The approach to completing this PIA included a review of related documentation and meetings among CBSA 
officials. The advent of the use of SBT methodology was reviewed, summarized and analysed. Further 
enhancements to the SBT methodology may occur in the future pertaining to analytics and trend and pattern 
analysis. 


Name of Prog 


ram or Activity of the Government Institution: 


Scenario-based targeting relies on the use of API/PNR information which is managed by the API/PNR 
Program and referenced within this PIA document. The API/PNR Program falis under "Risk Assessment" 
of the CBSA's 2011-2012 Program Activity Architecture of which "Targeting" is a sub activity. 


Description of Program or Activity: 


Description of the class of records associated with the program or activity: 


Class of Record Number: 


Scenario Based Targeting for High Risk Travellers OPA vid 
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LG Proposal to modify an existing Personal Information Bank - identify PIB registration number and current 
description: 


Purpose: Th 


N. 


a Proposed new Standard Personal Information Bank 
_| Proposal to modify an existing Standard Personal Information Bank - identify Standard PIB number and 
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n Act; 


Summary of the project, initiative, or change: 


The SBT initiative is aligned with the CBSA's border vision and the Government of Canada's 
commitments under the Beyond the Border Action Plan to address threats earlier to enhance our 
security and accelerate the flow of legitimate goods and peopie. 


This initiative is an important part of the Beyond the Border declaration, negotiated between Canada 
and the US. In 2011, as part of the Beyond the Border Action Plan, Canada committed to implementing a 
harmonized methodolo: 

implementation of fully automated user managed scenario based rules. 

The CCRA implemented the API/PNR program in October 2002 with the objective of mandating the 
collection of prescribed information from commercial air carriers for all air travellers for the purpose of 
risk assessing persons before they reach Canada’s borders. 


Bom 


in 2003 and 2004, the CBSA established the High Risk Traveller identification Initiative (HRTI) jointly with 
the US CBP to extend the API/PNR Program to identify high-risk air travellers. This protection was 
achieved through the pre-arrival risk assessment of traveller information within the risk scoring 
component of PAXIS. 


US. Both parties agreed to implement a risk scoring methodology within their automated passenger 
targeting systems to conduct risk assessment and targeting of unknown high-risk passengers flying into 
their respective countries. 


ent a scenario based rules 


Shortly after implementation, the US CBP changed their systems to implen 


based rules approach. 


After an extensive analysis of the effectiveness of the risk scoring methodology and the continued 
commitment to comply with agreements made with the US CBP, the CBSA undertook the replacement 
of risk scoring functionality with scenario-based rules functionality on a limited basis. Using API/PNR, 
historical enforcement trends and intelligence information, the scenarios will more effectively direct the 
focus on a smaller, more specific, segment of the travelling population who represent a potential high 
risk. SBT will also enable greater flexibility in scenario creation and maintenance that the risk scoring 
approach did not provide. It will be possible to create, modify or delete a scenario from PAXIS in near 
real time to support new, evolving or expired risk threats. 


In January 2010, the Executive Policy Committee approved the implementation of a long term solution 
for SBT within PAXIS. PAXIS is a decision support too! that enables the CBSA to improve the use, 
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analysis, and dissemination of information to target, identify, and prevent those travellers linked to 
terrorism, terrorism-related crimes and other serious crimes that are transnational in nature from 
entering Canada. 


SBT-related enhancements to PAXIS will increase the efficiency, effectiveness and accuracy of the 
Targeting Officer's otherwise manual and labour-intensive work, and thereby help facilitate the more 
efficient movement of legitimate people while safeguarding the border and the security of Canada. The 
enhancements also dramatically reduce scenario deployment times and costs enabling the CBSA to 
respond to imminent threats. Further, risk assessment will no longer be undertaken in two tiers 
(Regions and Headquarters), but will be consolidated into a single-tier model where the National 
Targeting Centre will undertake all targeting activities for ali risks including SBT. 


SBT methodology, once implemented, will include a flexible, user-managed risk tool that other CBSA 
traveller targeting initiatives can benefit from. This will be flexible enough to support expansion of 
targeting and risk assessment for other initiatives in the future, however, at this stage, such other 
initiatives are not yet identified and no decisions have been made that would result in the SBT too! 
being used by other CBSA initiatives. 
The SBT methodology is scheduled to be implemented in three releases: 

1. Release 1- 2014: Implementation of a user managed scenario application 

2. Release 2- 2014: Changes to the PAXIS workflow and interface 

3. Release 3- 2015: Enhanced and/or automated enforcement queries and any remaining 

requirements 


This PIA assessed privacy concerns for functionality which was put forth for inclusion in the three » 
releases but may need to be updated at a future date based on new or revised content to Release 3. The 
SBT initiative is subject to the Customs Act, sections 7.1, and 107.1,the Immigration and Refugee 

Protection Act, paragraph 148(1)(d) and 149,the Immigration and Refugee Protection Regulations, 

Section 269, Passenger Information (Customs) Regulations, and the Protection of Passenger Information 
Regulations. 


The assessment of travellers for risk is not a new activity; this occurred with risk scoring. The use of SBT 
methodology is only a change in the process of assessing travellers for risk. 


Program Activity and Organizational Operation 


SBT relies, in part, on the use, access, retention and disclosure of API/PNR information which is 
managed by the API/PNR Program and described in this PIA for informational purposes. The API/PNR 


Scope of this PIA 


The Pre-Border Programs Division of the CBSA is undertaking the replacement of risk scoring 
functionality with scenario-based rules functionality using API/PNR that is processed and maintained in 
PAXIS. 


The scope of this PIA is limited to assessing privacy risks associated with the deployment of the SBT 
methodology which will enable the CBSA to identify high-risk individuals and risk threats using 
intelligence-based recommendations and scenario-based risk rules. 


This PIA is a sub-component of the API/PNR PIA and the HRTI PIA. 
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The API/PNR PIA focuses on information acquisition, retention and use while the HRTI PIA includes the 
previous risk scoring methodology and focuses on the disclosure of personal information to the US CBP. 
This SBT PIA focuses on the use of personal information. 

The scope of this PIA is limited to the application of the SBT methodology only; most other aspects of 
personal information lifecycle management have been dealt with by the two other PIAs. 


The personal information collected, managed, and disclosed by CBSA under the API/PNR Program is not 
part of the scope of this assessment, nor is information collected, managed, and disclosed to the US 
CBP. The scope of this PIA is limited to the assessment of risk to privacy using SBT to identify high-risk 
travellers within PAXIS. 


The following table describes the scope of each PIA for clarity and to situate the SBT PIA in the overall 
privacy assessment context of API/PNR information. 


Overarching PI A, that inel ides both the HRTI as well as the SBT 
PIA's. The scope of this PIA covers the collection, use, disclosure, | 
retention and disposal of personal information collected for the 
| API/PNR Program for air mode and retained in PAXIS. 2 
: The scope of the API/PNR PIA report does not include the operation | 
of ICES or FOSS, although personal information from these systems 
T API/PNR Program. 


Overarching Componen 
| API / PNR PIA 


| Sub Component: PIA is limited to the CBSA responsi ibiliti - 
| HRTI PIA 3 a with the HRTI initiative and includes the previous risk 
| | scoring methodology and the sharing of API/PNR information with 
_the US CBP. 


ET Components: | 


| Thes scope c of this PIA is limited to the replacement of risk scori ng 
| SBT PIA | functionality with scenario-based rules functionality using API/PNR 
| information. 


Level of Risk 


Program or activity that does NOT involve a decision about an identifiable individual 

Personal information is used strictly for statistical / research or evaluations including mailing list where no 
decisions are made that directiy have an impact on an identifiable individual. 
The Directive on PIA applies to administrative use of personal information. The Policy on Privacy Protection 
requires that government institutions establish an institutional Privacy Protocol for addressing non- 
administrative uses of personal information. 


Administration of Programs / Activity and Services | | 4 
Personal information is used to make decisions that directly affect the individual (Le. determining eligibility 
for programs including authentication for accessing programs/services, administering program pm 
overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc... 


anada Border Services Agency 
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|. Compliance / Regulatory investigations and enforcement [ ]3 


Personal information is used for purposes of detecting fraud or investigating possible abuses within 
programs where the consequences are administrative in nature (Le. a fine, discontinuation of benefits, audit 
of personal income tax file or deportation in cases where national security and/or criminal enforcement is 
not an issue). 


Criminal investigation and enforcement / National Security 


Personal information is used for investigations and enforcement in a criminal context (Le. decisions may lead 
to criminal charges/sanctions or deportation for reasons of national security or criminal enforcement). 


_ Only personal information, with no contextual sensitivities, collected directly from the Nt 
individual or provided with the consent of the individual for disclosure under an authorized 
program. 


Personal information, with no contextual sensitivities after the time of collection, provided by 
the individual with consent to also use personal information held by another source. 


| Social Insurance Number, medical, financial or other sensitive personal information and/or the | 13 


 incompetent individuals or involving a representative acting on behalf of the individual. 


Sensitive personal information, including detailed profiles, allegations or suspicions, bodily 
samples and/or the context surrounding the personal information is particularly sensitive. 


Within the CBSA (amongst one or more programs within the CBSA) 
With other federal institutions 


With other or a combination of federal/ provincial and/or municipal government(s) 3 


Level of Risk 
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One time program or activity 
Typically involves offering a one-time support measure in the form of a grant payment as a social support 


mechanism. 


Short-term program 


Long-term program 


txisting program that has been modified or is established with no clear "sunset" 


lectronic 


system, software or application program including collaborative software (or groupware) that 
is implemented to support the program or activity in terms of the creation, collection or 
handling of personal information? 


6.2. Does the new or modified program or activity require any modifications to IT legacy systems 


and / or services? 
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6.3 Does the new or modified program or activity involve the implementation of one or more of 
the following technologies: 


6.3.1 Enhanced identification methods: 
This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint 
analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, 
new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that 
are embedded with either an antenna or a contact pad that is connected to a microprocessor and à 
memory chip or only a memory chip with non-programmable logic). 


6.3.2 Use of Surveillance: 
This includes surveillance technologies such as audio/video recording devices, thermal imaging, 
recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring 
including audit trails, satellite surveillance etc. 


ysis, personal information matching and 


ae 


6.3.3 Use of automated personal information ana 
knowledge discovery techniques: 
For the purposes of the Directive on PIA, CBSA is to identify those activities that involve the use of 
automated technology to analyze, create, compare, cull, identify or extract personal information 
elements, Such activities would include personal information matching, record linkage, personal 
information mining, personal information comparison, knowledge discovery, information filtering 
or analysis. Such activities involve some form of artificial intelligence and/or machine learning to 
uncover knowledge (intelligence), trends/patterns or to predict behaviour. 


. The personal information is used within a closed system. 
No connections to Internet, Intranet or any other system. Circulation of hardcopy documents is controlled. 


The personal information is used in system that has connections to at least one other system. 


The personal information is transferred to a portable device or is printed. 
USB key, CD-Rom, laptop computer, any transfer of the personal information to a different medium. 


SU sae aes og oe Xa SQ si Ste x QUSS RE en EA ie MOX UR 
Canada Border Services AEOGIHY 


e 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information 


i ^ 


XO secar TR TC a uns i kr ERE RH seta. gage - s simp c Sob eX duel: XC AE E Am 
scenario Based Targeting Tor High Risk Travellers 


Urs 


Processes must be reviewed, taols must be changed, change in provider / partner, 


Organizational harm. 


Changes to the organizational structure, changes to the organizations decision-making structure, changes to 
the distribution of responsibilities and accountabilities, changes to the program activity architecture, 
departure of employees, reallocation of HR resources. 


Reputation harm, embarrassment, loss of credibility. 


Decreased confidence by the public, elected officials under the spotlight, institution strategic outcome 
compromised, government priority compromised, impact on the Government of Canada Outcome areas. 
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inconvenience. 


Reputation harm, embarrassment. 2 


| Financial harm. 3 
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and documented"? 


The practices associated with the collection of personal information are not changing as a result of the 
deployment of SBT and are not directly related to this PIA. However, PIB CBSA PPU 008 explains the 
purposes of the collection of API/PNR and Target-related personal information which is used in the 
SBT process. In addition, the purposes of the collection, use and disclosure are outlined in the API/PNR 
PIA, the High-Risk Traveller identification Initiative PIA and this PIA (Executive Summary, Overview and 
initiation and Summary of the Project, Initiative or Change). However, the current API/PNR PIB does 
not fully reflect all of the legal authorities. 


Relevant and Necessary/Proportionate: is the personal information collected: necessary, 
proportionate and related to an operating program or activity? 


The personal information that is collected is necessary for the targeting process and is related to the 
API/PNR Program and HRTL The CBSA has authority to collect and use all elements of personal 
information in its targeting processes as outlined in Privacy Act Principle 2: Collection of Personal 
information of the API/PNR Project PIA and in Section 5 = privacy compliance analysis and SECTION 4 - 
FLOW OF PERSONAL INFORMATION of this PIA Report. 


integrity and Data Quality: Are all steps taken to ensure continuing accuracy and completeness of personal 
information, including any caveats or conditions attached to such information? 


2 w 


The issuance of queries to additional enforcement databases is in itself a process of determining the accuracy 
and completeness of personal information and while this practice was undertaken with the risk scoring 


individuals on an equal basis without unlawful discrimination? | NO 


SBT methodology is automatically applied to all travellers onboard international flights bound for Canada 
without discrimination. | 
Information Security: Have security procedures for the collection, transmission, storage and disposal of DS YES 


personal information, and access to it, been documented? | | e 
An IT Security Risk Mitigation Analysis was conducted in 2013. it was focused on Scenario Based Targeting for 

High Risk Travellers ~ Transition Architecture R1 & R2. Further safeguards-related information can be found at 

13. Safeguards - Threat and Risk Assessment and atSECTION 2 - RISK AREA IDENTIFICATION AND 

CATEGORIZATION. 


Accountability: 


i. Has the accountability of the program custodian for personal information been documented? 


Although the Pre-Border Program Directorate, the functional program authority for SBT, has policy oversight 
for personal information related to SBT, the CBSA's Access to Information Coordinator has full authority 
delegated by the head of the institution for the administration of the Privacy Act. In June, 2012, the CBSA 
implemented the role of a Chief Privacy Officer. A director general, the Chief Privacy Officer's mission is to 
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which takes into account the privacy rights of individuals, the obligations of the Privacy Act and related 
policies, and the Agency's need to collect, retain, use, disclose and dispose of personal information. Privacy is 
a shared responsibility. In order to bring executive-level focus to privacy risks, the Chief Privacy Officer chairs 
and is supported by a CBSA privacy oversight committee of key executives drawn from across the 
organization. In these ways, the CBSA ensures accountability for the personal information it collects, uses, 
discloses and retains. 


2. Are there oversight and review mechanisms implemented or available to ensure accountability? 


in addition to the Chief Privacy Officer role noted above, the Privacy Commissioner of Canada has a mandate 
to conduct compliance reviews of the privacy practices of government institutions as the practices relate to 
the collection, retention, accuracy, use, disclosure and disposal of personal information by government 
institutions subject to the Act. The Commissioner has the powers of an ombudsman and can make 
recommendations with respect to any matter which has been investigated or reviewed. In addition, the 


i. Hasthe custody and control of personal information been determined and documented? (INO 


Please refer to SECTION 5 - PRIVACY COMPLIANCE ANALYSIS for details on the custody and control of 
SBT-related personal information. 


2. Does the Agency have clear authority to collect, retain, use, and disclose such personal information? 


Individual Access and Rectification: Are there documented procedures developed or planned for how to 
initiate privacy requests or requests for the correction of personal information? 

CBSA follows routine procedures for responding to privacy requests or requests for correction of personal 
information and publishes information for the public at http;//www.cbsa-asfc.gc. ca/security- 

information. When a query result provides information that is displayed, PAXIS retains a key, unique number 
and/or a summary of the information but not the full detailed information itself. When a SBT query to 
another database results in the viewing of personal information, by the Targeting Officer, but not the 
retention of that information, it raises a question as to how the individual concerned would ever access his or 
her SBT-related personal information. In such an extremely unlikely situation, CBSA authorities could recreate 
the previously displayed information in response to a request filed by an individual under s.s 12 (1) of the 
Privacy Act for his or her personal information. In every case, the personal information would be evaluated 
through existing routine processes and could be withheld from disclosure under various exemption provisions 
contained in the same Act due to its confidential nature. 


CBSA targeting officials are not in a position to make changes to any of the personal information used in the 
process of determining to issue a target because the information is sourced from systems managed by other 
components of the CBSA or by external parties. A request for correction for personal information residing in 
any of the systems that feed the SBT could be made to the owners of those systems and routine procedures 
would follow. 


Transparency and Notice: 


Should notice need to be limited for national security or law enforcement reasons, such as the protection of an 
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ongoing investigation or the protection of victims or witnesses, the limitation on notice should be consistent 
with all applicable laws of Parliament. 
1. Is there a privacy notice at the collection stage that identifies the specific purposes for the collection, 
the authority for doing so and the individual serving as official contact? 


Airline carriers are required to become certified by CBSA with respect to the API/PNR process and are 
required to provide traveller's with access to a privacy notice statement. In addition, CBSA publishes an 
API/PNR privacy notice at http://www. chsa-asfe ge ca/security-securite/apt ipv-eng.html. 


2. if personal information is not disclosed with the consent of the individual, has the specific authority ES 
for disclosure been identified? | NO 


Refer to item 1 at SECTION 5 - PRIVACY COMPLIANCE ANALYSIS for details related to the CBSA's specific 
legal authorities for the collection, use and disclosure of SBT-related personal information. 


requirements? 


Subsection 29(1) of the Privacy Act describes how the OPC receives and investigates complaints from 
individuals in respect to their personal information held by a government institution. CBSA responded to 54 
such privacy complaints during 2011-2012 and has implemented new electronic processes and tools for 


responding to privacy complaints. 


Restrictions on Onward Transfers to Third Countries: 

Where personal information is provided, in accordance with relevant domestic law, by a competent authority 
of the United States or Canada (the originating country) to a competent authority of the other nation (the 
receiving country], the competent authority of the receiving country is to authorize or carry out an onward 
transfer of this information to a third country only if consistent with the domestic law of the receiving country, 
and in accordance with existing applicable international agreements and arrangements. 


in the absence of such international agreements and arrangements, the receiving country may transfer the 
personal information to a third country when consistent with the domestic law of the receiving country, in 
which case the originating country is to be notified: 

c prior to the transfer; or 

o as soon as reasonably possible after the transfer in the case of exigent circumstances. 


i1. Has the information been collected from a government authority in United States? 


As indicated At SECTION 5 - PRIVACY COMPLIANCE ANALYSIS, SECTION 4 - FLOW OF PERSONAL INFORMATION | 
and SECTION 3 - ANALYSIS OF PERSONAL INFORMATION ELEMENTS, the SBT process relies, in part, on 
personal information collected from the USCBP when a traveller's API/PNR information matches a scenario. 


2. Wil the information be transferred to a third country? 


Retention: 


1. is the personal information scheduled for retention and disposition? 
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Personal Information Bank CBSA PPU 008 outlines the retention and disposition practices. 


2. ls personal information disclosed for secondary use, not supported by legislative authority? E YES 
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Personal Information Elements and Sub-elements 


API Cluster 


Purpose / Necessity 
of Element 


| Name | The passenger's surname, first name, - Electronic 


. middle name and initial or initials, if any — (crew coming to Canada. 


| Date of Birth Date of birth — | The passenger's date of birth — | Electronic 


. Citizenship or nationality . The passenger's citizenship or Electronic | 
nationality, or failing either of these, the | | crew coming to Canada. 
| country that issued travel documents to. — 


Travel Document | Type of travel document | - Electronic : Necessary to help establish identities of passengers and 
| that identifies them, the | prew coming to Canada. 
name of the country in : 
which the travel 
| document was issued 


. and the number on the 


E-Ticket information Reservation record : tiectronic Necessary to help establish identities o? passengers and 
| locator number (if any) i | Crew comme to Canada, 


Crew detailed information | Crew member status (in . Indicates treveller’s status as a crew Electronic — Necessary to help establish identities of passengers and 
| | the case of a person in | member crew coming to Canada. 
Charge of the 


Canada Border Services Agency 
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Category Of . . Personal Information —— Personal Information. 
Personal Information | Element | Sub-£lement 


Format 


or any other crew 

member without 3 

reservation record 
 iocator number) 


PNR Cluster 


Category Of | Personal Information — Personal nformation (0 02 - Purpose 1 Necessity 
2 s | : ; | Format oe 
Personal Information Flement Sub-Element 


. Name The passenger's 
| middie name and initial a or initials, if any 


Electronic Necessary to hel “ip assess potenti ial ri k posed by d passenger. : 


API information | . Electronic — Necessary to help assess potential risk posed by a passenger. 


Ticket Information PNR record locater code | The PNR number «Electronic Necessary to help assess potential risk posed by a passenger. 
|  Asavallahle in the traveller s Passenger 

Name Record in dr carrier s airline 

reservation system! 


| E-Ticket information Date of intended travel The travel date for the Hight o Electronic — Necessary to help assess potential risk posed by à passenger. | 


E-Ticket Information Date of reservation The date on which the PNR was created Electronic — Necessary to help assess potential risk posed by a passenger. 


E-Ticket information Date of ticket issuance The date on which the passenger's ticket | Electronic Necessary to help assess potential risk posed by a passenger. 
for the Hight was issued 


| E-Ticket information Travel agencies if applicable, the names of the travel Electronic — Necessary to help assess potential risk pased by a pas senger 
| . agency that made the travel 
| arrangements 


Canada? 
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Category of - Personal information Personal Information oo : P : Purpose / Necessity 
. p E eore | oe 2 C . Format — pur | 
Personal Information = Element | Sub-Element _ of Element 


| Travel agent . K applicable, the name of the travel |o Electronic Necessary to help assess potential risk posed by à passenger. 
| agent that made the travel arrangements 


E-Ticket Information 


Contact telephone The phone numbers of the passenger Electronic Necessary to help assess potential risk posed by a passenger. 
|mnfemmation and, if applicable, the phone number af 
| the travel agency that made the travel 
: “arrangements 00 

Billing address The address of the passenger and, if Electronic Necessary to help assess potential risk posed by a passenger. 


_ applicable, of the travel agency that 


E-Ticket faformation 


|EOPEket information 


: All forms of payment | The manner in which the ticket was paid Electronic — Necessary to help assess potential risk posed by a passenger. 
| information for - 


| Information (limited to 
miles flown and 
addresses} — | 
| Ticketing Field | The date, if any, by which the ticket 
| Information | the flight had to be paid for to avoid 
| cancellation of the reservation, or the 

. date, if any, on which the request for a 

| reservation was queued from the 

| transportation company to the ticketing 
a offie | a 
: Ticket number | The number assigned to the passenger's —— Electronic Necessary to help assess potential risk posed by a passenger. 
ticket for the flight 


Electronic Necessary to help assess potentiel risk posed by à passenger. 


«E-Ticket Information 


| Split/divided PNR ' Electronic — Necessary to help assess potential risk posed by a passenger. 


E-Ticket information Go show information if applicable, a notation that the tlectronic Necessary to help assess potential risk posed by a passenger. 
- (ticket purchase without passenger arrived at the departure gate 
| a reservation) with a ticket but without a reservation 


No show history i flectronic | Necessary to help assess potential risk pased by à passenger. 
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| E-Ticket Information 


visus nr PH DAR S AL RES 
SOPVICOS ABOnCV 


- Standby Information 
| Other names on PNR 


| Order of check in 


Seat information 


Seat number 


Personal Information 
 Sub-Element 


The itinerary cities, being all points 


where the passenger will embark or 


disembark, car rental segments, and 


| The baggage tag number associated 


hotel segments. 


with the passenger s checked 
baggage. 


. Any stated seat request in respect of 


the flight 


that was selected for the passenger 


_ prior to departure 
, if applicable, a notation that the 
| passenger's ticket for the flight is a 


one-way ticket 


Electronic 
Electron ic 


Electronic 


Electronic 


Electronic 


Necessary to he 


, Necessary to help assess potential risk posed by a 
| passenger. 


- Necessary to help assess potential risk posed by à 


passenger. 


Necessary to help assess potential risk posed by a 
passenger. 


Necessary ta help assess patential risk posed by a 


passenger. 
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| Prolected B 


Other Databases 


The scope of the SBT PIA assessment does not include the operation of FOSS, CPIC, ICES, Interpol, ar ICS, although personal information from 
these systems may be used for purposes of SBT. It must be noted that the results of queries made to all systems are rendered and presented to 
system users in a seamless and integrated fashion; however, the detailed results of the queries are not stored within PAXIS A key, unique 
number and/or summary, indicating that a hit resulted from any one of the queries, is recorded in PAXIS. It is important to note that the queries 
to the other databases are a current practice, currently accessed manually by a Targeting Officer, as part of the targeting process. The SBT 
initiative includes enhancements to simply automate the queries. 


| CBSA / CIC ividual has an immigration | 
| related activity record in FOSS. i results à are Brenda à summary of ihe information is retained in | 
; PAXIS. The targeting officer may view limited details of the individual's FOSS record. This is a use af 


| previously collected or compiled personal information. 


| Field Operation Support 
System (FOSS) 


Canadian Police — — | RCMP I n An electronic qu query from PAXIS to CPIC is made to determine if an individual has tactical and or [ 
information Centre [CPIC) | operational law enforcement information in CPIC. This may include but not be limited to warrants, | 
i i | criminal records, court proceedings, etc. if a result is returned, an indicator of that result is placed 
in PAXIS. The targeting officer may view the CPIC record. This is a process that is currently applied 
manually in the CRIC Web application, and is not changing as result of the SBT initiative, except to 
| be automated for efficiencies. 


D — — m M ec tin as A ce aa de acs a pee 
integrated Custom | | CBSA | An electronic: query from PAXIS to ICES is made to determine if an indi vidual has an enforcement _ 


Enforcement System | record in ICES. If results are returned, an indicator of a result is placed in PAXIS and the targeting 
| CES) i | officer may view a synopsis cf the individual's enforcement records deemed to be a match ora 
j | close match, This represents a use of previously collected personal information that is not changing 
| as a result of SBT. This occurred with risk scoring too. 


en rran AETERNE EEEE IEPER EEEIEE PP TUITION SENSA ANNAM ASSAD AAS SAGA PAAR SNAM IRIS RNA DEEDES DAES DRASS RSR RER RER tn ELE AIEEE 


| Integrated Custom l An electronic query from PAXIS to Global Enroiment Component (GEC] is made to determine if a 


| System (ICS) Global traveller is an active member af a trusted traveller program; CANPASS Air or NEXUS 
Enrollment Component |- 
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MMMM""""---————————————————————————— 


linterpot | RCMP An electronic query from PAXIS to CPIC will result in responses indicating Interpol criminality and | 
| j warrants. A positive result will provide an ID number which users will be required to manually 
| query to retrieve details. 


CBSA An electronic query from PAXIS to IMS is made to determine if an individual is identified as being Qu 
i part of a project or case within the intelligence stream. If a result is returned, an indicator is placed 
: in PAXIS. The Targeting Officer can view detailed results. 


NOR ——— a E AA A —— —— PRE UU MOM AT AA 


Automated Targeting US CBP | API/PNR information is shared with this organization pursuant to the Memorandum of - 


—— E Ju LL Ifermation. 
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4.3 Internal Use and Disclosure 


(NTC) 


CSIs ^ | . The information is disclosed to RCMP and CSIS in | accordance wit 2(2)e], 
when required and as defined in Section 9 of the PPIR. This process is not 
 anew process caused by the application of SBT. This existed with risk 


+ This p process is not a new process een ‘byt the a i m S BT. m: 
existed with risk scoring. 


i Records will be retained for 3. Sy years sby the CBSA e date of 
travel and then the records are destroyed. Where the API and PNR 
information relates to a person who is the subject of an 
investigation in Canada API and PNR information may be 
transferred to an enforcement database of the CBSA (including 
target information) and be retained in that system for a period of 
no more than 6 years and destroyed after 6 years. 
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| Pre-Border Programs Directorate Program Advisor/Officer Ottawa 
| Traveller Targeting and Advance | Program Manager 
| information Programs Division | Scenario Administrator | 


_ National Border Operations | Targeting Officer | Ottawa 
| Centre / | Intelligence Officer | 
National Targeting Centre | Supervisor 


| See also designated users in CBSA 
| D-Memorandum-1-16-3 


1 


| Business Systems Support | Technical Support Ottawa 
| Directorate/ : | 

| Business Systems Support - 
| Enforcement Division 


| 


| Branch/ 
| Solutions Directorate/ 


Enforcement Systems 
| 


Information Science and Technology | Developer/Systems Analyst Ottawa 


Has a legal authority been identified for the collection of personal information for this program or activity? 


Statutory reference: Section 4 of Privacy Act (Section 4 has been interpreted to mean that a legal authority 
must be established for a collection of personal information, but section 4 does not provide legal authority for 
such a collection). 
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is the personal information collected directly related to an operating program or activity? 


Canada 
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-> Continue to Question 2 
No 
: 1.3 [ ] If there is no legal authority for the collection of personal information, it cannot be collected. Please 
| consult your legal advisor to determine if there is authority to proceed with the program or activity. 
**The PIA process must not continue without this key information.** 


is each element and sub-element of personal information collected or to be collected necessary to 
administer the program or activity? 


Statutory reference: Section 4 of Privacy Act 


Policy reference: Sections 6.1.1, 6.1.3, 6.1.4, 6.2.7 and 6.2.8 of Directive on Privacy Practices 


X] AND, implement controls and procedures to ensure the CBSA does not collect more personal 
information than is necessary for the identified program or activity and that a continuing need exists 
for that information or its collection. 


s Standards for API-PNR information elements are published by the World Customs Organization (WCQ) | 
and internationally recognized by other international governments, notwithstanding an individual 
country's privacy framework. The information received by the CBSA meets parameters set out in 
CBSA's regulations and does not use restricted information elements. Refer to the API-PNR Program 
PIA for the collection of API/PNR information. 

e Additionally, the Targeting Program continuously monitors and reports on the effectiveness of the 
targeting program relying on analytics, trend and patterns and operational intelligence for the 
effective use of scenarios which rely on API/PNR information. 


4.3 Are secondary uses contemplated for the information collected? 


[ves [X 


x NO (Continue to Question 3] 


2.3.2 If not, is there authority for the use or disclosure of the personal information? 
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Is the collection of the Social insurance Number (SIN) necessary to administer the program or activity? 


Statutory reference: Section 4 of Privacy Act 
Policy reference: Section 6.2.13 of Policy on Privacy Protection and sections 6.1.1 and 6.2 to 6.4 of Directive on 
Social insurance Number - 
Also see "Guidance for Preparing Information-Sharing agreements Involving Personal information" and "Taking - 
Privacy into Account Before making Contracting Decisions" 

TES 


check al sparen e bel PM 


d | N | State egal nn i for collecting the SIN: 


OR, in the ibserica of a legal authority to collect the SI 
| | Esta blish de icit ox bend ds) ative Lad 


AND, if disclosure of the SIN T" the CBSA is to occur on a routine or systematic basis 


3.4.3] | to another federal institution that is authorized to collect it, or to another level of government, 
establish an agreement or arrangement that includes specific provisions to limit the use of the 
SIN. 

to a contractor or other external service provider, establish a contract that includes specific 
diea to limit the use of the SIN. 

PIB for the program or activity states the authority under which the 


SIN. is che and hn purpose for which it is used. 
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~> Continue to Question 4 
3.6 D4 LS, The SIN is not necessary and it will not be collected, used or disclosed to administer the program or 
activity. 


-— Continue t to Question 4 


Is personal information collected directly from the individual to whom it relates? 


Statutory reference: Sections 4 and 5 of Privacy Act 
Policy reference: Sections 6.1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and section 6.1.2 
and 5.4.1 of Directive on Social Insurance Number 
i E 4 i Il 


Vanda DODPOOD Services AG ently 
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41 | | A "Privacy Notice" (adapted for either verbal or written communicati ions) must be provided to the 
individual at the time of collection and it must include the following elements: 


a) The purpose and authority for the collection 

b) Any uses or disclosures that are consistent with the original purpose. 

C) Any uses or disclosures that are not related to the original purpose 

d) Any legal or administrative consequences for refusing to provide the personal information 

e) That the "individual to whom the information relates" has rights of access to, correction of and 
pene of beider information under the Privacy Act. 
PIB for the program or activity 


a) Why the SIN is collected, how it will be used and the consequence of not providing it. 


AND, aedi a “Consent SENED to the es Notice” as appropri iate, if the personal information is to : 
Secondary Use) or a consistent use, — 


The "Consent Statement" must include the following elements: 
a) The purpose of the consent and the specific personal information involved. 
b) In the case of indirect collections, the sources that will be asked to provide the information. 
c) Uses and disclosures that are not consistent with the original purpose of the collection and for 
which consent is being sought. 


: in consequ uences that may result from withholding consent. 


* * 


| A N D, it Ime 
bebes or r not; an ades ual | provided ts consent t when i iti was nant includin ing a Moses doce snting 
any withdrawal of consent when applicable. 


Additional Consent Considerations (s. 77(1)(m) of the Privacy Act): 
| |] Standards and mechanisms are in place to ensure that the individual has capacity to give 
consent. 


| NO 

4.4 [X] The personal information necessary for the program or activity is not collected directly from the 
individual. It is collected indirectly, for example, from another program within the CBSA, or from 
another institution, government or third party. 


— Continue to Question 5 


_ Is personal information collected indirectly from another source with the informed consent of the individual 
to whom it relates, or from a person authorized to act on behalf of the individual pursuant to section 10 of 


Canada Border Services Agency 


e rmation Aci 
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| Protected B 


Statutory reference: Sections 4 and 5 of Privacy Act and section 10 of Privacy Regulations 
Policy reference: Sections 6.1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and sections 6.1.2 
and 6.4.1 of the Directive on Social Insurance Number 
4 2 The notice and consent requirements stated at Question 4 apply. Please provide the "Privacy Notice" 
and/or "Consent Statement" below: 
The SBT methodology relies on previously collected information through the existing d NR 
Program. Refer to the ‘Privacy Act Principle 3: Consent’ section in the API/PNR Program PIA 


9 2 | | AND, implement controls and procedures to ensure the CBSA keeps a record documenting whether 


or not an individual provided consent when it was sought, including a record documenting any 
withdrawal of consent when applicable. 


ND, if information is being collected from persons authorized to act on behalf fof minors, 
incompetents or individuals who have been deceased for less than 20 years, implement appropriate 
mechanisms to ensure that such persons are authorized to act on behalf of individuals who do not 
have the capacity to provide consent. 


Eod 


— Continue to Question 5 


NO 


54 | | — Continue to Question 6 


Is personal information collected from another source without notice to or consent from the individual to 
whom the information relates? 


Statutory reference: Sections 4, 5, 7 and 8 of Privacy Act and section 10 of Privacy Regulations - 
Policy reference: Sections 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices, section 6.2.15 of the Policy | 
on Privacy Protection and sections 6.3.2 and 6.3.3 of Directive on Privacy Impact Assessment - 


L H [| Where information is collected indirectly under any of the following circumstances without notice to, 


or consent from, the individual to whom it relates, please check the applicable boxes and explain as 
requested: 


a) The collection is a result of a disclosure to the CBSA under subsection 8(2) of the Privacy Act. 
State the applica ble paragraph(s ) of subsection 802) and a pfovide a brief explanation for each: 


b) Direct notification of the individual might result in the collection na inaccurate information, or 
might defeat the purpose or prejudice the use for which the information is collected. Briefly 
explain why noti ice is not provided: 


Scenario Based Targeting for High Risk Travellers 


E The information involved in the program or activi tyi is tO y be used stele fora anon- 
administrative purpose in which no decisions are made about the individuals to whom the 
information relates. 


6 2 =i AND, if any of the circumstances in a) b) or c) is applicable, ensure that it is reflected in the relevant 


D 3 1A AND, if the information is to be used solely for a non-administrative purpose (box c above has been 
checked), ensure that the requirements under sections 6.3.2 and 6.3.3 of the Directive on Privacy 
impact Assessment have been met, and that the decision of the official responsible for section 10 of 
the Privacy Act to proceed with a CBSA PIA for the program or activity has been adequately 
documented in the description of the program or activity in "Section 1 - Overview and PIA Initiation" 
of the CBSA PIA. 


| ] OR, if none of the circumstances in a) b) or c) is applicable, then the personal information must be 


co died sand from the ingi vidual, or ingi orechy v with the: consent ef the indi vidual, Please review 


— Continue to Question 7 


Sa All personal information is collected directly from the individual to whom it relates, or from 
adt source with notice to, or consent from 


ofthe individual (see Questions 4 and 3 above).—+( Continue to Question 7 


CBSA - Released under the Access to Information Act. 
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the individual or a person authorized to act on behalf : 


Has Library and Archives Canada approved a records retention and disposal schedule that applies to the 


. personal information? 


Statutory reference: Section 12 of Library and Archives Canada Act, sections 6, 10 and 11 of Privacy Act and 
section 4 of Privacy Regulations 
Policy reference: Sections 6.1.3, 6.2.11 to 6.2.13 and 6.2.23 of Directive on Privacy Practices 
YES 
| Please identify the Record Disposition Authority (RDA) and describe the retention and disposal 
schedule: 


7.4 E AND, peared control S dri ia Pub N to ensure that t personal ir information used to m Bases a 
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time as the individual has had the opportunity to exercise all his/her rights under the Act. 


[X] AND, if the CBSA intends to dispose of personal information that has been used for an administrative 
purpose prior to the expiration of the two-year minimum retention standard established by the 
Privacy Regulations, it must obtain the consent of the individual to whom the information relates 
before doing so. 


[X] AND, the CBSA must cite the RDA number, the retention period and the disposition standards for the 
personal information in the relevant Pi 


1. RDA Number 90/002. Records will be retained for 3.5 years from date of travel and then the records 
are destroyed. Where the API and PNR information relates to a person who is the subject of an 
investigation in Canada the API/PNR information will be transferred to an enforcement database of 
the CBSA and be retained in that system for a period of no more than 6 years and destroyed after 6 
years. These details are cited in PIB CBSA PPU 008. 


— Continue to Question 8 


NO 


ribing the records 


containing the personal information for which the institution requires a RDA. 


AND, obtain a RDA from Library and Archives Canada to allow the CBSA, under certain conditions, to 
dispose of records that no longer have operational utility for the program or activity. ese 
7.7 | | AND, ensure that all the other applicable requirements listed under "YES" at Question 7 are met. 


— Continue to Question 8 


Will measures be adopted to ensure that personal information used by the CBSA for an administrative 
purpose is as accurate, up-to-date and complete as possible? 


Statutory reference: Sections 6, 10 and 11 of Privacy Act and sections 10 and 11 of Privacy Regulations 

Policy reference: Sections 6.1.1 and 6.2.9 to 6.2.16 of Directive on Privacy Practices 
[X] Please check any of the following measures that will be adopted to ensure accuracy of the personal 
information and provide details as requested: 


| Personal information will be collected directly from the individual to whom it relates or it will be 
validated with the individual or a person authorized to act on behaif of the individual. 


_} A data-matching process will be used to verify the accuracy of personal information against a 
"reliable source" (within or outside the CBSA) where this is authorized, or where consent was 
obtained. 


| 


ie 
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trusted sources (public or private) and verify accuracy against existi ing personal informatio 
before use, 


g2 i 


person dno dd " act c on abeha sra the individual", the CBSA r m nnd alien sees en Hour 
and procedures to ensure that: 


a) the techniquels) and the specific source(s) used to validate or update the personal information 
are documented; 


b) individuals are given the opportunity, whenever possible, to request correction of any inaccurate 
personal information before the information is used in a decision-making process that affects 
them; 

C) personal information can only be modified or corrected by those within the CBSA who have the 
authority to do so; 

d) when personal information is corrected or annotated, the record of personal information 
indicates the date of the last correction or annotation and the source of the information used to 

make the correction or annotation; and 

e) when personal information is corrected or annotated, other authorized holders of the 
information are notified about the correction or annotation and that all copies of the information 
in n the possession of the CBSA are corrected / annotated. 


XY DN ebore viv vor vbi viv vi vvv E EN EE vtt t 


| Travellers have the right to request a copy of the API/PNR information that commercial 
| carriers provide to the CBSA. They can also request that a notation be included if any of | 
the information is incorrect as follows: | 


| Pursuant to the Privacy Act and the Access to Information Act, the following can access 


a) a Canadian citizen | 
b) a permanent resident within the meaning of subsection 2 of the Immigration and | 


Canada Border Services Agency 
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Refugee Protection Act 

C) Aforeign national present in Canada 

d) A person present in Canada with the consent of the foreign national not present 
in Canada. 


In addition, API/PNR program will afford access, correction and notation rights related to 
API/PNR information to persons that are not in Canada on an "informal basis". The 
disclosure request must be made to the CBSA using form BSF153, Travellers API/PNR 

Request, available on the CBSA website. | 
The capacity to change incorrect personal information contained in the ms exists, as | 
noted in the API/PNR Correction Process Flow. The PAXIS IT Team of the information | 
Science e and Rue Branch, Enforcement incer Division, with the Mic dE | 


are amended to identify the data-matching activity including the source(s). 


— Continue to Question 9 


— Continue to next Question 9 


Will the personal information collected for the program or activity be used solely for the original purpose 
for which it was obtained or compiled, a use consistent with that purpose, or a purpose for which the 
information was disclosed to the institution pursuant to subsection 8(2) of the Privacy Act? 


purposes wil " be i cited : to authori zed indi iduals whe need to know the: tes to perform their 
official duties. | 


- 9.5 E AND, ensure that these other uses are reflected in the relevant PIZ. 
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X) AND, ensure that the “Data Flow Diagram" or "Data Flow Tables" completed for "Section 4 - Flow of 
Personal Information" of the CBSA PIA identify the areas, groups and individuals (e.g., the positions) 
within the CBSA who have a need-to-know to access to or handle the personal information, including 
their geographical location and where the personal information will be stored or retained. 

Refer to Appendix A, API/PNR Authorized CBSA Officials and Access Level, CBSA D1-16-3 
Memorandum. 


9.3 AND, if the purposes for which the personal information is used includes any use(s) of the 
information for a non-administrative purpose, (such as research, statistical, audit and evaluation 
purposes) the CBSA will adhere to the requirements and principles in the CBSA Privacy Protocol For 
Non-Administrative Purposes (2012), in accordance with section 6.2.15 of the Policy on Privacy 


Protection, to address any impact that such non-administrative uses may have on privacy. 


NO 


not directly related to the purpose of the collection, or, which are not consistent with that purpose 
or for which the information was disclosed to the CBSA pursuant to subsection 8(2) of the Privacy 
Act: 


9.6 | | AND, include a description of these other uses in the “Privacy Notice" or "Consent Statement", as 


appropriate, 
| | AND, ensure the all the other applicable requirements listed under "YES" at Question 9 are met. 


+ Continue to Question 10 


CBSA - Released under the Access to Information Act 
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Will personal information be disclosed for purposes directly related to the administration of the program or - 
activity? | 


Statutory reference: Sections 5 and 8 to 11 of Privacy Act. 


Policy reference: Sections 6.2.10, 6.2.11 and 6.2.13 of Policy on Privacy Protection, sections 6.2.1 to 6.2.3 of 


Practices and section IV of Appendix "C" of Directive on Privacy impact Assessment ) 


Also see "Guidance for Preparing Information-Sharing agreements Involving Personal Information" and "Taking - 
Privacy into Account Before making Contracting Décisions | 
YES 
X) Please check all applicable boxes below and, for each disclosure, identify the name of the 
organization or third party to which personal information will be disclosed. if it is disclosed within 
the CBSA, please identify the branch and the program or activity. 
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10.1.6 a The private sector (e.g., contractor or other external service provider) 


10.1.7| | Other 


X] AND, ensure that: 


10. &L 


a) any such dicU is ie in B is with section 8 of the paa Act, which allows 


ees uci 3(1)) 0 or san consent i in certain s rimi circumsta nces eee to 
subsection 8(2) of the Act; 

b) only personal information elements that are necessary for the intended purpose are disclosed; 

cC) the organization or third party receiving the personal information is authorized to do so; 

d) administrative, physical and technical safeguards appropriate to the sensitivity of the information 
will be applied to protect the information during and after its transmission (see Question 15); 

e) the organization or third party to which the personal information will be disclosed for the 
administration of the program or activity are identified in the "Consistent Use" section in the 

relevant in CBSA Info Source, including the specific purpose of the disclosure; 


the "Privacy Notice" or "Consent Statement" describes any disclosures of information; and, 
f the "Data ps Di rapran m” or Nd Flow Tables” Ba cda in "Section 4 ~ Flow ded Personal 


“40. 3 Dx] AND, any disclosure of personal infartration to another federal institution or outside the 
Government of Canada is governed by a formal agreement or arrangement (e.g., a Memorandum of 
Understanding, an accord, a contractual arrangement, etc.) to ensure that appropriate privacy 
protection clauses are included, and, where applicable, include provisions for inter-jurisdictional or 
transborder flows of personal information. Such clauses must cover the following topics: 


a) Control over personal information, where appropriate. 

D) Limitations on the collection, retention, use and disclosure of personal information. 

€) Measures (administrative, technical and physical) to protect the integrity and confidentiality of 
personal information. 

d) Measures governing the disposition of the personal information, where relevant 


eJ Measures to ensure or verify that the personal information is only used for the purposes related 
to the agreement, arrangement or contract. - 


f) Obligations are to be extended to other parties such as subcontractors. 
-> Continue to Question 11 


Canada Border Services Agency 
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104 | | There is no disclosure of personal information within or outside the institution for purposes that are 
| directly related to the administration of the program or activity. 


à Continue to Question 11 


11.1 [X] Appropriate controls and procedures have been or will be implemented to ensure that: 


a) the head of the institution (The ATI and Privacy Director) or the appropriate delegate is notified 
about any new use or disclosure of personal information that is not reflected in the PIB 
description published in CBSA Info Source; 

b) the consent of the individual to whom the information relates is obtained in writing, as 
appropriate, prior to any new use of the information for an administrative purpose that is not 
reflected in the relevant PIB published in CBSA Info Source, unless the new use is considered to — 
be consistent with the purpose for which the personal information was obtained or compiled and - 


the new consistent use; 
c) exceptas permitted under subsection 8(2) of the Privacy Act, any disclosure of personal 


will only be made with the consent of the individual to whom the information relates; 
d) arecord is kept for any new use or disclosure of personal information not described in the 


information to which it relates and retained for a minimum period of two years following such a 
use or disclosure; 

e) if the information is disclosed to a federal investigative body under paragraph 8(2)(e) of the 
Privacy Act, the record of disclosure will be kept in a separate PIB for a period of two years where 
it will be available to the Privacy Commissioner for review upon request; 


f) the Privacy Commissioner is notified, by the CBSA ATI and Privacy Director, forthwith, as required | 
under subsection 9(4) of the Act, of any new use or disclosure that is consistent with the purpose - 
for which the information was obtained or complied, but which is not reflected in the relevant — — 


E 


g) the relevant PIB is amended in time for the next edition of CBSA Info Source to include any new 


use(s) or disclosure(s) that are consistent with the purpose for which the information was 
obtained or compiled, as well as any routine use(s) or disclosure(s) that do not fall within the 
categories of purpose of collection or consistent use and 


n) the Privacy Commissioner is notified, by the ATI and Privacy Director, prior to or forthwith, as 
required under subsection 8(5) of the Act, about any disclosures made or to be made in the 
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— Continue to Question 12 
ES 2| | ] Please explain why such controls and procedures will not be pe 


— Continue to Question 12 


Has a Statement of Sensitivity (SoS) or similar analysis been completed to assess the degree of sensitivity of 
the personal information to be collected and retained for the program or activity? 


af 


12.1 [X] The information contained in the SoS or similar analysis has been taken into account when assessing 
the level of risks to privacy in "Section 2 - Risk Area Identification and Categorization" of the CBSA 
-> Continue to Question 13 
| La, 2| ] Please explain why a SoS or similar analysis was not considered necessary to assess the sensitivity of 
the information. 


«> Continue to Question 13 


t a nd Risk Assessment 


| | Has a ! Threat and Risk Assessment IEHRA d ora asimitar e de assessment been completed for the program or 


Statutory reference: Sections 7 and 8 of Privacy Act. 
Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 of 
Directive on Privacy Practices, Policy on Government Security, Operational Security Standard: Management of 
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Documents List" and provide a brief synopsis of the assessment in the space below 


x] AND, obtain assurances from the officials responsible for the program or activity that the measures 
recommended in the assessment have been implemented to ensure the confidentiality, availability 
and integrity of the personal information. 


13.3 [X] AND, ensure that any residual risks to personal information are known and accepted by the 
executive or senior official responsible for the program or activity and the Head or delegated 


authority for the Privacy Act. (ATi and Privacy Director) 


-> Continue to Question 14 
13.4 If a TRA or similar security assessment is underway, simply reference that fact in the space below and 
indicate when it is likely to be completed. If there is no intent to complete one, please explain. - A, 


—^ Continue to Question 14 


identify below any administrative, physical and technical safeguards in place, or to be implemented, 
for this program or activity to ensure the confidentiality, availability and integrity of the personal 
information. 


Statutory reference: Sections 7 and 8 of Privac 


rective on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 of 


Policy reference: Appendix C of Di 


Information Technology Security (MITS) 
Please check all that apply, including safeguards identified by the TRA or similar security assessment. 
14.1 Administrative safeguards : 
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Contingency plans and documented procedures in place to identify and respond to security and 
privacy breaches, and to communicate security violations to the data subject, law enforcement 
authorities and relevant program managers 


<] Methods to ensure that only authorized personnel who need to know have access to personal 
information 


14.2 Physical safeguards 

x] Restricted access areas 

| Security guards 

| Identification badges are worn by staff at all times 
Xj After hours alarms and monitoring systems 
Locked filing cabinets 

UX; Combination locks 

X] Safes 

Cipher locks 


[X] Key cards 
(X) Video surveillance (closed-circuit television) 


X] Secured server locations 


| Backups secured off-site 


[ ] Other 


| Biometrics 


XX] Passwords (minimum of 6 characters long, include alpha and numeric characters) 

/X] Passwords are changed by users every 90 days and recently used passwords cannot be re-used] 

[X] Password protected screensavers 

Dx] Session-time out security (automatically locks an account after a session has been idle for a 
specified amount of time) 

| Firewalls 

Intrusion Detection System (IDS) 


NM NET————————————— M 
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[X] Audit trails 
| | Other 


Will the information system(s) used to deliver the program or activity employ cookies or other tracking 
technologies to collect personal information about users and their transactions? 


Policy reference: Subsections 6.1.1, 6.1.3, 6.1.9, 6.2.9 to 6.2.13, 6.2.17 and 6.2.23 of Directive o 
Practices 


YES 


Privacy of "Section 2 — Risk Area identification and Categorization" of the CBSA PIA; 
io = AND, the collection of any personal information using such technologies is reflected in the relevant 


15.3| | AND, the use of such technologies to collect information about users and their transactions is 
adequately reflected in the "Privacy Notice’; 
.15.4| | AND, those responsible for implementing and using tracking technologies to collect personal 
information or who may have access to personal information collected through these methods are 
made aware of privacy and security policy requirements; 


15.5| ] AND, where personal information collected through such tracking technologies is used to make a 


decision that directly affects the individual to whom the information relates, it will be retained for a 
minimum of two years after the last administrative action as required under the Privacy Regulations. 


NO 


15.6 Tracking technologies are not used to collect personal information about users. 


| Will the new or modified program or activity result in new or increased surveillance or monitoring of a 
targeted population? 
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Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices 
16.1[ ] Consult with your legal advisors to determine whether or not such surveillance or monitoring 
| activities raise any issues relating to the Charter of Rights and Freedoms, the Privacy Act or other 
- applicable acts. 
16.2 And, ensure the surveillance or monitoring method(s) to be used, the characteristic(s) of the 
| targeted population and the scope of the surveillance or monitoring are adequately described under 
Part 6: Technology and Privacy of "Section 2 — Risk Area identification and Categorization” of the 
| CBSA PIA. 
.16.3| ] AND, any personal information collected or created as a result of such surveillance or monitoring is 


18 and in Section 3 —- Analysis of Personal information Elements" of the 


| AND, the collection or use of personal information through surveillance or monitoring is adequately 
reflected in the "Privacy Notice", unless such notification might result in the collection of inaccurate 
information or defeat the purpose or prejudice the use for which the personal information is 
collected. 


[| If notice about surveillance or monitoring will not be provided 


AND, those responsible for implementing and using such surveillance or monitoring method(s) or 
who may have access to personal information collected or created through these methods are made 
aware of privacy and security policy requirements. 


Does the program or activity involve compliance/regulatory investigation or law enforcement, surveillance 
 orintelligence gathering that targets specific individuals against whom penalties, criminal charges or 
sanctions may be applicable? 


Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of the 
Charter of Rights and Freedoms 
Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices 
YES 
X. Consult with your legal advisors to determine whether or not the compliance/regulatory 
investigation or law enforcement activities raise any issues relating to the Charter of Rights and 


E gs ts I EE FB ope, ege» oup x d D MENSEM. xz Puy Hos PRES gles. a! 
Canada Border Services Agency 


rthe 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Scenario Based Targeting for High Risk Travellers | PIA. vis 
| Protected B 


17.3 X AND, if the legislative authority differs from the legal authority for the program or activity, ensure it 
: is adequately reflected in the response to Question 1 of “Section 5 ~ Privacy Compliance Analysis" 

- and in "Section 1 — Overview and PIA Initiation “of the CBSA PIA. 

174 X] AND, any personal information collected or created as a result of such regulatory or criminal 

- enforcement, surveillance or intelligence gathering program or activity is described in the relevant 


RES E EEIPES 


A] AND, the collection or use of personal information through these compliance / regulatory 
investigation or enforcement activities is adequately reflected in the "Privacy Notice", unless such 
notification might result in the collection of inaccurate information or defeat the purpose, or 
prejudice the use, for which the personal information is collected. 
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This table summarizes the privacy risks identified through the PIA process, and categorizes risk levels as 
low, moderate or high. Risks are expressed in terms of both likelihood of the risk occurring and the 
impact should it occur. The goal of privacy risk management is to identify and maintain privacy risks 
within acceptable bounds. The higher ratings provide an indication of priority areas for implementing 
suggested risk mitigation mechanisms or strategies. This report identifies a number of privacy risks and 


Criteria for ranking are set as follows: 

* Low: There is a remote possibility that the risk will materialize and/or the impact of the risk 
to the program is minor. 

+ Moderate: The possibility of the risk materializing is very low although the impact of such a 
risk is high, OR the possibility of the risk materializing is high but the impact of such a risk is 
minor, OR the impact and likelihood of the risk occurring are both determined to be 
moderate. 

+ High: There is a near certainty that the risk will materialize if no corrective measures are 
taken and/or the impact of the risk on the program is severe. 


Element | Natureof risk Level of risk 


| Openness | The API/PNR Program PIB vO 
| | does not reflect the use of | | | Program PIB should be updated 

| | SBT methodology nor does | to reflect the change from risk 

| it fully reflect statutory | scoring to SBT and to more fully 

- authority for use ofthe | | | reflect the statutory authority for 

: personal information | - : : the use of the personal 

| : | | information. 
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| | PIA Reference - 
http. jact ionp an.gc.ca/en/page/bbg- Executive Summary 
| ipf/beyond-border-action-plan ; Section Summary of the project, 
: posi nhl a a approach to | initiative, or change 

p.6 Exec Summary 
Section 1 Legal Authority 
| Section 5.1 Legal Author 
| Section 7.1 and Section 107.1 of | htt | p.6 Exec Summary 

: the Customs Act | lois.justice.gc.ca/eng/acts/C- Section 1 Legal Authority 
| | 52.6/page-5.htmi#h-11 Section 5.1 Legal Authority 


IRR Rada atii lí 


Me 


£ nig ation and Refugee 
E Protection Act 


ttt ttt ttn ———ÁMÁ 


 http//laws- 
is. justice. gc. ca/eng/acts/C- 
5 Gipage-69 hti T 


cassie ee EEE aca aaa ETE 


nfomation Regulations 005 | Section 1| Auth ority 
Section 4.4 External Use and 
Disclosure 

Section 5.1 Legal Authority 
iid 9. 1 Use of Personal 


' Sectio. 1269. immigration and — http: IANS- 


: | Refugee Protection Regulations — | lois iustice gc. ca/eng/regulations/SO | Se | Leg only 
| R-2002-227/FuliText.htm#h-121 — Section 5.1 Legal Authority 
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“SBT 1T Security Risk Mitigation — "h roi 
| Analysis (RMA) 


Section 2 Beyond the Border Privacy 
Principles | 
Section 13 Safeguards — Threat and | 
Risk Assessment | 


| Section 2 Personal Information 
Transmission 


— 


| Section 2 Program or Activity 
Partners 
je | : Section 3 Other Databases 
| | Exohiónga à of Advance e Passenger | | | Section 10.1.4 Disclosures-Foreign 
_ Information (APD* : | Government Institutions 


"Provided - | Executive Summary 

: | Section 1 Scope of this PIA 
: Section 2 Beyond the Border Pri ivacy | 

[ Principles 


pone (APVPNR) Project F 

| Report, June 12, 2003 
Pee eT nu Te Sunmay 

| Section 1 Scope of this PIA 

: | Section 4 Data Flow-Description 

Section 3OtherDatabases ——— — 

| : Section 4.2 Data Flow Model-Table 


| CBSA Memorandum D1-16-3 


EE EM t 
E 


National Police Service of the 
Royal Canadian Mounted Police 
and the Canada Border Services 
Agency, Borders Intelligence 
Division (Regional Intelligence 
Officers) & immigration Warrant 
Response Center, September 29, 


femorandum of Understanding — | 
Between Citizenship & Immigration 
Canada and the Canada Border | 
Services Agency (2011) 
information Shanng Annex 2012 


f 


| Administrative Guidelines for the 
| Provision to Others, Allowing 

| Access to Others and Use of 

| Advance Passenger Information 
| {API} and Passenger Name 

| Record (PNR) Data 


————Ó—M—— 


| Policy Guidelines on the : : 
| Disc dosure of Customs information. asic. gc. nue ications/pub/bsf5150- 


| eng.html 
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Provided — 


designated agency employees to the 
CPIC databases 


——————— 
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Section 4.2 Data Flow Model-Table 


——————————— anne 


| fune 

| Section 4.2 Data Flow Model-Table 
| Section 4.8 Other Possible 

| Considerations-Access 


| Section 10.1.2 Disciosures-Other 
_ Federal Govt | 
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The following signature represents a 
commitment to comply with sections 4 to 8 of 
the Privacy Act and the related privacy policy 
requirements outlined in the CBSA PIA as they 
relate to the administration of the identified 
program o 


B 


Date 


Note: Responsibility for sections 4 to 8 of the Privacy 
Act rests with all employees of government 
institutions that handle personal information. Officials 
who manage such programs and activities are 
responsible for ensuring that such requirements are 
implemented as part of the administration of the 
program or activity, 


Canada Border Services Agency 


The following signature represents a commitment 
by the Head of the institution or his/her 
delegate(s) who is responsible for establishing 
personal information banks in accordance with 
section 10 of the Privacy Act. 


Dan Proulx, 
Director, Access to Information and Privacy 


Note: Under the Privacy Act, the Head or his/her 
delegate(s) is responsible for complying with legal and 
relevant privacy policy requirements related to the 
approval and registration of personal information 
banks 
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reflected in the relevant PIB. 


2 . a) The categories and elements of personal information to be 
collected for the new program or activity have been carefully 
assessed based, for example, on the CBSA’s experience gained with 
the administration of a similar program or activity. The personal 
data collected will be limited to only that which is required.) 


b) Categories and elements of personal information have been 
described in the relevant PIB for the program or activity. 


c) Controls and procedures will be implemented to ensure the CBSA 
does not collect more personal information than necessary for the 
program or activity and that a continuing need exists for the 
personal information and its collection. 


4and 5 a) Allofthe requisite "Privacy Notices" and "Consent Statements" 
that meet the requirements of sections 6.2.9 to 6.2.12 of the 
Directive on Privacy Practices have been drafted. (Texts of the 
notices and consent statements must be included as an annex.) 
b) Controls and procedures have been implemented to keep 
records of individual consents, and to ensure that persons 
acting on behalf of individuals who do not have the capacity 
to provide consent have the authority to do so under section 
10 of the Privacy Regulations. 


E > 
ES 


and Archives Canada to authorize the disposal of the records 
containing personal information for the program. 
b) Controls and procedures have been implemented within the [| 


ensure that information that has been used for an administrative 
purpose will be kept for the minimum retention period 
established by the Privacy Regulations. 


C) Reference to the RDA, the retention period and the disposition 
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8 Controls and procedures are in the process of being implemented to 
ensure that the personal information associated with the program is 
E accurate, complete and up-to-date as necessary. 


Openness Describe how the results of any privacy impact assessment or audit 
-will be made available to the public. The Executive Summary will be 
published on the external CBSA ATI and Privacy Division website at 

http://www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia- 
efvp/atip- aiprp/pias- -sefp-eng.html 


Are policies and practices relating to the proposal's ie and 
handling of personal information available to the public? 


is there a communications plan to explain to the public how personal O CJ 
information will be managed and protected? | | 3 


is there a clearly defined and easy process for | indivi duals to access 
such information and/or communicate with appropriate individuals 
with respect to policies and practices relating to management and 
ea i of personal information? 


Where appropriate, will public consultation take place on the privaty 
implications of the proposal? 


Individual’s Access Is the system designed to ensure that an individual can have access to ZS | E 
to his/her personal information, including all other programs or 
applications that have received copies of the information? s. 12(1) 


Personal information 


Are there documented nn developed or pi ws on how to 
make privacy deci or requests for the correction of personal 


Are individuals provided with access to their personal information in 
_ the official language of their choice? s. 17(2) 


If appropriate, are individuals provided with access to their personal 
information in an alternative format? s. 17(3) 


 Challenging - Are the complaint procedures for the e proposed pi program or service | 


anada Border Services Agency 
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Compliance consistent with. legislated requirements? $. 29. 35 


To improve information management practices and standards, has a 
procedure been established to log and periodically review the nature, 
frequency and resolution of complaints? 


Are there oversight and review mechanisms ieipleniented or 
available to ensure accountability? 


Have oversight agencies, including the Office of the Privacy 
Commissioner, issued reports or opinions on issues that would be 
relevant to the proposal? 
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In their March 2011 document, Expectations: A Guide for Submitting Privacy Impact Assessments to the 
Office of the Privacy Commissioner of Canada, the Office of the Privacy Commissioner (OPC) has 
expressed the importance of analysing the risks of the project, program or initiative against the ten 
universal privacy and fair information practice principles of the Canadian Standards Association Model 
Code for the Protection of Personal Information. 


The most relevant demonstration of the privacy risk and compliance analysis is the action plan. The OPC 
has said the following in their Expectations guide with respect to the action plan: 


Once privacy risks and their proposed mitigating measures have been identified, we expect to 
see an Action Plan drawn up by the institution, indicating a specific time frame for remedying or 
mitigating the risks that have been identified, and if possible, naming a specific person or staff 
position accountable for taking action. 


The action plan must list all privacy risks and compliance issues identified in the PIÀ and supplementary 
documentation. All risks and issues must be organized by the 10 universal privacy principles. 


All recommendations and proposed mitigation strategies must also be described in the action plan. 
identify the responsible program area and the timeline for completion or implementation of the 
strategy. The ATI and Privacy Division will provide programs with an action plan template to be 
addressed near the end of the PIA process. 


The expectations of the OPC for each privacy principles are included below for your reference. 


Accountability 

Under this principle the OPC would expect to see documentation of an administrative structure for 
privacy, including input from legal services, access to information and privacy and information 
technology branches within an institution, with defined processes for determining when new projects 
require PIAs, for carrying them out, implementing mitigating measures and auditing for assurance of 
compliance. We expect PIA reports to be signed off at the appropriate level, and that training in privacy 
issues and procedures has been documented and is refreshed with employees regularly; and that 
privacy protective language is included in all contracts with third parties handling personal information 
in accordance with TBS guidance documents and internationally accepted best practices; and that 
regularly scheduled privacy compliance audits will be undertaken and the findings acted upon. 


Identifying Purposes 
The Privacy Act restricts federal government institutions to the collection of personal information that 
relates directly to an operating program or activity of the institution, so we would expect to see a clear 
description of the program and why each piece of information is needed; a description of the legislative 
authority for the collection; a clear listing of all the data elements collected; copies of any relevant 
documents such as application forms identifying the purpose for the collection or on-line notices of use; 
a copy of an up to date Personal Information Bank (PIB) description; a statement of any proposed new 
consi istent use of i information n previously coli ected and a clear rati ionale as to how the use is reasona i 
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and directly connected to the original collection -- this may include an analysis of how an individual to 
whom it relates would reasonably expect it to be used for that purpose; a statement outlining any 
intended secondary uses of the information; whether the information is collected directly from the 
individual and if not, why; and a description of how personal information used for planning, forecasting 
or statistical purposes would be anonymized or de-linked from individual identifying information. 


Consent 

This is closely tied to the Identifying Purpose principle. Under this principle, OPC would expect to see a 
copy of notification language on forms or websites; a clear description of the purpose for collection; a 
rationale for not seeking consent, as is provided for in the Privacy Act; for web sites, a copy of the 
Privacy Notice Statement under which personal information is submitted to the institution. 


Limiting Collection 


collected, in keeping with the requirement of the Privacy Act that no personal information is to be 
collected by a government institution unless it relates directly to an operating program or activity of the 
institution; an indication that a data minimization exercise has been undertaken to ensure that each 
data element is necessary and that this exercise will be refreshed regularly; and that information 
collected from another department for a secondary use will be purged of all but the essential data 
elements before use. 


Limiting Use, Disclosure and Retention 

Under this principle, OPC would expect to see a description of the specific uses and proposed 
disclosures of the information; a clear statement limiting the use of the information to the purposes 
identified; a clear retention policy and disposition schedule that is also noted in the PIB; a process for 
destruction of the information that is in keeping with the Privacy Act and Regulations; copies of MOUs 
or agreements with third parties to whom information is disclosed governing its use, retention and 
disclosure, and clauses with contractors or sub-processors of information indicating the originating 
institution has the right to audit for compliance with privacy provisions. 


Accuracy 

Under this principle, OPC would expect to see a description of the process used by entities to ensure 
accuracy, particularly when administrative decisions are made; a description of how changes to records 
are logged and monitored; a statement of whether automated decision-making based on risk profiles is 
being undertaken and how automated decisions are vetted for accuracy; an explanation of the 
processes open to individuals seeking to correct information; a description of the process by which 
second or third parties to whom information has been disclosed will be notified of changes and 


and evaluated. 


Safeguards 
OPC would expect to see under this principle a description of the physical and electronic safeguards that 
are in place to protect information; a Threat & Risk Assessment (TRA) with emphasis on privacy risks and 
concerns and a discussion of how these concerns have been remedied or addressed; a notation that 

encryption is used for personal information both in transit and at rest; a description of how system logs 
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strong electronic access control, including controls on remote access, and the use of mobile devices; 
policies for the use of portable storage devices such as flash drives; a description of role-based access 
controls; and a description of the steps taken to ensure complete destruction of the information at the 
end of its life cycle. 


Openness 
Under this principle, OPC would expect to see a summary of the PIA written in plain, understandable 
language, posted on the institutional website in a manner accessible to the general public and 


oe 


invasive programs we would expect to see the public communications plan described in the PIA, 
including a variety of methods such as posters, brochures and media announcements as well as detailed 
discussion of the PIA in the institution's Annual Report under the Privacy Act; a description of 


on the website; the name and contact information of an individual accountable for the handling of 
personal information should be easily obtained through the website or by calling the institution's main 
public number. 


individual Access 

Under this principle, OPC would expect the PIA to include a description of any informal process the CBSA 

may have in place for access to and correction of personal information; an up to date and 

comprehensive description of information contained in the PIB corresponding to the initiative; a 

description of the process by which information in the hands of third parties is corrected following 

requests; a description of how the general public is made aware of these processes, for example, by à a 


Challenging Compliance 

OPC would expect to see the PIA address this principle by indicating clearly who is responsible for 
receiving and resolving privacy complaints; describing complaints that may have been received in any 
similar activity or pilot project and how they were handled; including privacy issues in project 
evaluations or feasibility reports; describing how and when compliance audits for privacy will be 
undertaken; including information on how to file a complaint with OPC under the Privacy Act; and 
reporting in some detail on specific and/or systemic privacy issues in its Annual Reports. 
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The Description section in a personal information bank (PIB) describes the personal information 
in the records to which the bank relates. Treasury Board Secretariat has established the 
following categories of personal information, which give examples of specific elements of 
personal information that fall under each category. The purpose of the categories is to reduce 
the number of personal information elements that need to be listed in the Description section. 
These categories are representative of the personal information collected by most institutions, 
and they now appear in many of the CBSA registered PIBs. The ATI and Privacy Division 
modified the original list to reflect CBSA business lines. 


Biographical information (e.g. work history, curriculum vitae, family information, 
Passenger information, etc.) 

Biometric information (e.g. blood type, eye or facial scan, DNA, finger / hand prints, etc.) 
Contact information (e.g. work and / or home information, including postal and e-mail 
addresses, telephone, fax, cell phone numbers, etc.) 

Citizenship status or Nationality (e.g. citizen, landed immigrant, etc.) 

Crew detailed information 

Criminal checks / history (e.g. information related to criminal record checks, 
investigations, charges, conviction dates and locations, pardons, etc.) 

Date of birth 

Date of death 

Destination City 

Employee identification number (e.g. Personal Record Identifier) 

Employee personnel information (e.g. records of attendance and leave, notices of 
disciplinary action, alternative work arrangements, decisions concerning compensation 
and fitness for work, official languages qualifications, salary, deductions, level of security 
clearance, performance reviews and appraisals, rating board assessments, including 
évaluation notes from staffing boards, training and development course applications 
and evaluations, etc.) 

E-Ticket Information 

Financial information (e.g. income, investments, mortgages, loans, orders of 
garnishment, financial institution information for direct deposit and other banking 
purposes, including name and branch number of institution, account number(s) and 
name(s) on accounts, etc.) 
FOSS Case Number 
Gender 

Itinerary Cities 

Language (e.g. mother tongue, official and other languages, etc.) 
Medical information (e.g. psychological assessments, blood type, etc.) 
Name (e.g. last name (surname/family name), given names (first, second or more), 
maiden name, nicknames, aliases, etc.) 

Opinion or views of, or about, individuals 

Passenger Name 

Passport Number or Travel Document Number 
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Place of ticket purchase 

Photos 

Physical attributes (e.g. height, weight, color of hair and eyes, physical markings (scars, 
tattoos, body piercing), etc.) 

Place of birth 

Place of death 

Port of Embarkation and Port of Debarkation 

Signature 

Special Travelling Considerations such as Employee Pass, Buddy Pass and Parental 
Passes 

Visa Number 
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[ EXECUTIVE SUMMARY 


Primary inspection Kiosk 


The CBSA's next generation Primary Inspection Kiosk (PIK) was one of the recommendations put forth 
by a dedicated Air Traveller Task Force, established in late 2013 with a mandate to develop a strategy 
to support projected future changes in Canada Border Services Agency's (CBSA) air mode operational 
environment. Smart border management includes modern services that leverage technology to assist 
in reducing wait times and congestion at Canada's busiest airports. 


Deployment of PIK across Canada's international airports is scheduled to begin in early 2017. PIK will 
replace the Automated Border Clearance (ABC) kiosks, currently in operation at the international 
airports of Vancouver, Montreal Pierre-Elliott Trudeau and Toronto Lester B. Pearson. PIK will also 
expand the population eligible to use a self-service kiosk to include visa-exempt and visa-required 
foreign nationals. 


Upon arrival in Canada, travellers will soon use a next-generation PIK to verify their travel documents, 
confirm their identity and complete an on-screen declaration. Those looking to save more time can 
complete their declaration in advance using the CanBorder - eDeclaration mobile application (app) and 
scan their quick response (QR) code at a kiosk upon arrival. 


PIK represents the next evolution in automating Canada's international air ports of entry (POE), in 
partnership with Airport Authorities (AAs). The kiosk, owned and maintained by AAs, is a tool designed 
to capture and transmit traveller data securely to CBSA back-end systems, so the CBSA can 
authenticate an individual's travel documents and identity, and render a recommendation on customs 
and immigration admissibility. All travellers will continue to see a CBSA officer and some travellers, as 
occurs today, will be referred for additional questioning or inspection. 


Through PIK, the CBSA will improve border security while streamlining service for all travellers entering 
Canada. By automating administrative tasks, CBSA officers will be freed up to focus on judgement-based 
and enforcement activities at ports of entry. 


The on-screen declaration and mobile app will also allow the CBSA to phase out the current Declaration 
Card distributed on-board aircraft, reducing paper consumption and saving roughly $10 million per year 
through digital service delivery. 


Deployment of PIK to the top ten airports is expected to commence March 2017. The airports 
scheduled for priority deployment of PIK include Ottawa, Toronto, Montreal, Vancouver, Edmonton, 


Halifax, Winnipeg, Calgary, Billy Bishop and Quebec City airports. Additional airport deployments will 
be negotiated with interested airport authorities, subject to CBSA capacity. 
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Protecting Your Personal Information 


The following personal information elements related to the traveller will be managed by the PIK' 


Facial photo 


| Duration of absence from Can: | | 
Travel document information 


food, etc.) 


Duration of stay in Canada (visitors only) | u _| Signature (occurs as attestation on the PIK) 


| Purpose of Trip (Foreign nationals only) - 


While the kiosk and mobile app are new tools, the CBSA's collection of information from travellers 
arriving by air remains largely unchanged with the exception of the facial photo captured at the kiosk. 
In fact, by moving to an electronic declaration, the CBSA will be reducing the number of data elements 
captured to the minimum required for traveller processing, and will increase the integrity of data 
collection and the security of data transmission. 


The collection of information will be facilitated by PIK; no personal information will be stored on the 
kiosk itself. All information collected will be transferred securely over dedicated lines to CBSA 
information holdings and purged from the kiosk upon termination of each traveller session. 


The mobile app operates without any connection to CBSA systems (i.e., in airplane mode) and retains 
only basic, non-protected, traveller information, used to pre-populate a portion of the kiosk data 
entry. Declarations on the app are deleted after 24 hours, and may be manually deleted at any time. 


The kiosk and app are tools that will collect information directly from the traveller and verify it against 
information that is already held within CBSA information holdings. In keeping with the CBSA’s current 
Memorandum of Understanding, information will be disclosed to Statistics Canada (StatCan) for 
statistical analysis purposes. As per the CBSA's existing practices, in the event it is required for 
enforcement, program integrity or to address health and safety concerns, information may be 
requested on a case-by-case basis by law enforcement partners, Employment and Social Development 
Canada (ESDC) and the Public Health Agency of Canada (PHAC) respectively. 


All information collected will be held within the CBSA's existing Integrated Customs System (ICS) 
platform. ICS is a common platform that encompasses both commercial and passenger-traveller 
streams and is comprised of a number of components (e.g., Passage History, Secondary Processing, 
Passenger Information System). 


* Specific details concerning the collection of these elements are outlined in Section 3. 
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| Automated Border Clearance 
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DSO "Departmental secu rity Officer 
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| El i | Employment Insurance 


| EPIL | Electronic Primary inspection Line 
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Employment and Social Development Canada 


Formal Arrangement 


| GOC = Government of Canada 


Mn A nnne A MAS tetti du du dado eee dément de ne iim ORR RA M 9 SSSR i mm ne den in, 


TR nn eee €—— — — EE a Se ICO da 


HTTPS I Hypertext Transfer Protocol [Secure] 
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j 

i 
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ID | Identification 


—— 


IRCC | Immigration, Refugees and Citizenship Canada. 


| ISA | 

| IT/IM 1: information Technology/Information Management 

PR S ite ie ain PE SRE PR Pe ED TL PP MEUS PSN Cae ee Soa ee EP RS di RE TN EME ———— P page eas 2. 
| LAC P Library and Archives Canada 
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MRZ ql Machine Readable Zone 
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Information Sharing Agreement 
| 
| 

- Other Government Department | 


D ete em mn i TN ee UNE Ceres Preston meee oT Ree nee eam TT pt PM ; URS 
| Office of the Privacy Commissioner. of Canada. | 
| IE | Privacy Act 
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| Passenger Information System 
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| 
| Personal Information | 
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PIB | Personal Information Bank 
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StatCan 1 Statistics Canada 


i 
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| TBS | Treasury Béard Secrétariat | 

| TLS | Tra nsport Layer Security 

M E Ext. us uM NEMINEM MM: 
| TRA | Threat and Risk Assessment 


VP | Vice-President 


| VPN | Virtual Private Network 
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———————————————————————— "C — 
| Action Plan |n The Action Plan describes the steps that the Program will taket to à address risks that have: 
| been identified by ATI and Privacy Division, Office of the Privacy Commissioner of Canada 
| 1 (OFC) and Treasury Board Secretariat (TBS). 
" Administrative purpose | The Privacy Act defiries an sdministrative purpose" "to be the ü use — an anvidusi^s 
| | personal information i ina decision- -making process that directly affects that individual. 
| Consistent use | [s a use that has a reasonable and direct connection to the original putbosets ) for which 
| the information was obtained or compiled. This means that the original purpose and the 
| proposed purpose are so closely related that the individual would expect that the 
| information would be used for the consistent purpose, even if the use is not spelled out. 
Data Matching | A comparison af nersonal data obtained from a variety f sourees, include personal 
| information banks, for the purpose of making decisions about the individuals to whom 
| the data pertains. Data matching is a specialized activity involving the collection, use and 
| disclosure of personal information that is subject to the various requirements of the 
| Privac Act. 
pecca ce ud cu ico. 4. Duel c Mme NE mm uem 


| isa series of anhual TBS bebe in which government institutions are required tt to | 
| | describe their institutions, program responsibilities and information holdings, including PIBs - 
: and classes of personal information. The descriptions are to contain sufficient clarity and 


Info Source 


| activities, use of the SIN and all activities for which privacy impact assessments were 
| conducted have to be cited in info Source PIBs, as applicable. The info Source publications 
| also provide contact information for government institutions as well as summaries of court 


: detail to facilitate the exercise of the right of access under the Privacy Act. Data-matching | 
| 

| 
| Ce cases sand statistics on access requests. | 


| Personal Information | | Information about an identifiable individual as defined in section 3 of the Privacy Act. This 
: definition, although lengthy, is not exhaustive, as indicated by the introductory phrase, 

| "including, without restricting the generality of the foregoing". Information that is not 
specifically mentioned in the list may still be included in the definition of personal 
information if it qualifies as "information about an identifiable individual". 


Personal Information: Bank “Is a description of personal informatión that i is —Ü and rétrievable by: a person's sons — | 


2 
^ 


| | name or by an identifying number, symbol or other particular assigned only to that person 
l | The personal information described in the personal information bank has been used, is 
being used, or is available for an administrative purpose and is under the control of a 
government institution. 
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| The OPC describes "privacy" as ^. the right to canon access De one's person and 
| information about one's self. The right to privacy means that individuals get to decide what 
| and how much information to give up, to whom iti is s given, and for what uses.” 
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Report Objectives 


This report is a Privacy Impact Assessment (PIA) for the Primary Inspection Kiosk (PIK) initiative, 
including the CanBorder-eDeclaration mobile application. PIK is the evolution of the Automated Border 
Clearance (ABC) initiative, for the Canada Border Services Agency (CBSA). The PIK initiative will introduce 
increased functionality in support of both facilitation and security, including complete on-screen 
traveller declaration and the elimination of the paper E311 declaration card, and will begin to use the 
International Civil Aviation Organization (ICAO) standards to authenticate a traveller's documents and 
identity. In addition, the PIK initiative will expand the population eligible to use the PIK, including visa- 
exempt and visa-required foreign nationals. 


The objectives of this PIA are: 

to review the business processes in order to identify the data flow of personal information; 
to analyze the collection, use, disclosure and retention of personal information; 

to determine if there are privacy risks associated with the expansion of the PIK; and 

to provide recommendations on the mitigation or elimination of the risks. 


5 9 59? 28 


An initial PIA and one addendum related to ABC have been provided to the Office of the Privacy 
Commissioner (OPC) and initial meetings discussed the evolution of primary inspections at Canadian 
airports. The information presented in this report follows the Treasury Board of Canada Secretariat (TBS) 
PIA policy and guidelines. 


The purpose of a PIA process is to ensure that privacy is considered throughout the project development 
cycle. The results of a PIA are a documented guarantee that privacy issues have been identified and 
adequately addressed. 


Government Institution: CBSA / Programs Branch 


gn ih ag HUE "S 


1 
! Gavermment Official Responsible for the Privacy Head of the aoverbment ir institütioñi iJ Delegate foi | 
|; Impact Assessment section 10 of the Privacy Act 

| Martin Bolduc, Vice President, Programs Branch Dan Proulx, Director, Access to Information and 
| Privacy Division 


—————€—————————— M! 


Name of Program or Activity of the Government Institution: 
—— Me na 


This initiative relates to the 1. 3 Admissibility Determination sub-activity and the 1 3. 2 Air Mode sub-sub- 
activity. 
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i bili y Determination — -through t the e Amis D Determination Program The CBSA A develops, | 


c people and goods within established s service e standards. in addition, the Agency ‘develops, maintains and _ 
 administers the policies, regulations, procedures and partnerships to control the export of goods from | v 
| Canada. in the traveller stream, border services officers question people upon arrival to determine if they d 
: and: their peroral goods n meet the fedus penis of Bolus legislation and odes to enter G r da. 


processing de g. ” payment of duties and taxes, issuance of a docuraeal, andar for: a physical | examination. 


1. 3. 2 Air Mode mu. Air dcs identifies and intercepts propie and ee that: are e inadmissible t to 


airlines. CBSA officers make. a decision t to admit the person or refer them vor further p Puede Eier g, a 

| payment of duties and taxes, issuance of a document) or examination. For private and corporate aircraft p 
and general aviation traffic reporting through the Telephone Reporting Centre, various checks are | 

| - conducted by means of the telephone reporting system. BSOs make a decision to admit people or refer 

| them for further processing or examination. To assist bor ler services officers in their examinations, - 

| detection tools such as detector dogs and ion scanners may be used. People and goods found to bei in 

| violation of the applicable legislation and/or regulation ; mi ybe subject to toa monetary penalty, seizure or 

| d denied d entry t to Canada. -~ 
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| which describes written information sharing collaborative agreements between the CBSA and federal 

| departments. Records may also include Travellers D Declaration cards, Casual Goods Accounting Documents, 
records or reports from electronic systems used to administer or manage the program including the 
Travellers Entry Processing System (TEPS), the Customs Commercial System (CCS), the Facility tor 

: Information Retrieval Management (FIRM) and the Travellers National Database System (TRANDS). 


Description: D Describes records valeting t to the Interdeparmental and Ihtergovernmentat Relations Program | 
| 
| 


Document Types: Memoranda of Understanding, Letters of Understanding, Information Sharing | 
Agreements, policy, guidance materials, Memos and Forms. : 
i 
i 
i 


| Record Number: CBSA ADM 132 | 
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Class of Record Number: “CBSA AD ADM 132 
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| |Proposal for a New Personal Information Bank 
X| Proposal to modify an existing Personal Information Bank - identify PIB registration number and current 
description: 


Traveller Declaration 

Description: This bank describes information used in support of the Canada Border Services 
Agency (CBSA) Travellers Border Programs, specifically the E311 Traveller Declaration card 
(E311) and digital declaration at the Primary Inspection Kiosk. The personal information 
may include name, date of birth, citizenship, visual image of traveller, travel document 
information, place of residence (Province/State and Country) and signature. For visitors to 
Canada, the duration of stay in Canada and if the duty-free allowances are exceeded; for 
residents of Canada, the date of departure or duration of absence from Canada and the 
value of goods — CANS purchased or received abroad (including gifts, alcohol and tobacco). 
In addition, responses to a number of questions are also requested: the origin of the flight, 
purpose of trip, goods brought or unaccompanied in Canada, currency and/or monetary 
instruments totalling CANS 10,000 or more, and if a visit has been made or scheduled to a 
farm. | 

Class of Individuals: All persons entering Canada, including but not limited to, Canadian 
citizens, permanent residents, visitors, crew members, diplomats, military personnel, 
refugees, immigrants, former residents. 

Purpose: The personal information is collected pursuant to the Customs Act, Customs Tariff, 
Immigration and Refugee and Protection Act (IRPA), Proceeds of Crime (Money Laundering) 
and Terrorist Financing Act (PCMLTFA) and Subsection 5(3) of the Reporting of Imported 
Goods Regulations for the purposes of facilitating compliance with travellers' obligations to 
report their goods in writing upon entry into Canada including the collection of duty and 
taxes owing on those goods imported into Canada and to administer laws that enforce, 
prohibit, control and regulate the importation of goods into Canada and the movement of 
people coming into Canada. 

Consistent Uses: Information may be disclosed internally to the CBSA Enforcement and 
Intelligence Operations Directorate for the purposes of assisting CBSA's enforcement 
program, and criminal investigations operations. Information may be disclosed externally to 
Employment and Social Development Canada (ESDC) and the Public Health Agency of 
Canada for the purposes of Program integrity; refer to: Employment Benefits, Support 
Measures and Other Programs ESDC PPU 293 and Traveler Illness Reports PHAC PPU 071. 
Information may also be disclosed to Statistics Canada for the purposes of evaluation and 
statistical reporting. Information may also be disclosed to police forces, investigative 
agencies and other countries for the purposes of criminal investigations law enforcement. 
Retention and Disposal Standards: Files are retained for seven years from the date 
stamped on the traveller's declaration card (or date stamped on the traveller receipt when 
the traveller uses the Automated Border Clearance, the Primary Inspection Kiosk or NEXUS 
kiosk). After this period, the records are destroyed. 

RDA Number: 2000/033 

Related Record Number: CBSA ADM 132 

TBS Registration: 002271 

Bank Number: CBSA PPU 018 


Legal Authority for Program or Activity: 
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| Legal duthority for the collection of onde information through the automated primary inspection process 
| facilitated through PIK, is derived from multi ple, inter-related legislations and regulations. =- 


o Information required for the regulation of goods (import/export) is derived from one legislation and 
supporting regulations. 1) Section 12 of the Customs Act, which states, "all goods that are imported 
shall, except in such circumstances and subject to such conditions as may be prescribed, be reported 

_ at the nearest customs office designated for that purpose that is open for business.” And 2) Section 
5(3) of the Reporting of Imported Goods Regulations, which states, "Goods that are imported bya 
person arriving in Canada on board a commercial passenger conveyance other than a bus shall be 


reported i in writing." 


o Information required from individuals as they request entry into Canada is derived from two 
legislations. 1) Section 11 of the Customs Act, which states, “every person arriving in Canada shall, 
except in such circumstances and subject to such conditions as may be prescribed, enter Canada only 
at a customs office designated for that purpose that is open for business and without delay present 
himself or herself to an officer and answer truthfully any questions asked by the officer in the 
performance of his or her duties under this or any other Act of Parliament." And 2) Section 18(1 ) 1) of 
the Immigration and Refugee Protection Act which states, “Every p person seeking to enter Ca nada | 
must appear for an examination to determine whether that person hasa rignt to enter Canada oris | 
or may become authorized to enter and remain in Canada." v | 


E 

| 

In addition to these specific legal authorities, information i is also collected under the Proceeds of | Crime 

: (Money Laundering) and Terrorist Financing Act, as well as associated regul lations made thereunder such 
as the Cross-border Currency and Monetary Instruments. Reporting SEU HIGH Subsection 12(1 ) of the 
Proceeds of Crime (Money Laundering) and Terrorist Financing Act states," ey person or rent 


referred to in subsection (3) shall report to an officei 
or exportation of currency or monetary instrumen | 


a value. gne to: Or greater than the prescribed 
amount.” — 


Program legislation as defined in the Customs Act “means any o other Actof Parliament or any instru ment 
made under it, or any part of such an Act or instrument, . 


(a)t that Hie Governor in 1 Council or Pünismenta authorizes S Minister, the Agency, the e President or | 


Tariff, t the Excise Act, the: Excise Act, 2001, the pane and Refugee I Protection Act and the 
Special Import Measures Act; oo 


(b) that the Governor in Council or Parliament authorizes the Minister, the Agency, the President or. 
| an employee of the Agency to enforce, including the Agriculture and Agri-Food Administrative 

Monetary Penalties Act, the Canada Agricultural Products Act, the Feeds Act, the Fertilizers Act, the 
. Fish Inspection Act, the Health of Animals Act, the Meat Inspection Act, the Plant Protection n Act and 


the Seeds Act; 


n ——— eet 


(c) under which the Minister or another minister authorizes the Agency, the President or an a p 
employee of the Agency to administer a program or carry out an activity; or _ 


die under which duties or taxes collected and d pait pursuant t to the Customs Act are imposed. 7 
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The CBSA, like an increasing number of countries worldwide, is expanding its automated border solution to 
improve the Agency's capacity to deal with sharp spikes in traveller volumes within limited airport space, reduce 
border wait times, improve traveller identity and risk assessments, and reduce the use of paper to perform 
administrative functions. 


PIK is the next generation of kiosks that will replace the current ABC kiosks in place at the international airports 
of Vancouver, Montreal Pierre-Elliott Trudeau and Toronto Lester B. Pearson. A final deployment of ABC was in 
Calgary International Airport in October 2016. A PIA has previously been submitted to the Office of the Privacy 

Commissioner for the ABC initiative. 


Upon arrival in Canada, travellers will soon use a next-generation PIK to verify their travel documents, confirm 
their identity and complete an on-screen declaration. Those looking to save more time can complete their 


declaration in advance using the CanBorder - eDeclaration mobile application (app) and scan their quick 
response (QR) code at a kiosk upon arrival. 


In summary, PIK 1.0 will support the automation of existing manual processes, extend eligibility to all foreign 
nationals (FNs), introduce ePassport Public Key Directory (PKD) validation, biometric passport verification 
through facial authentication, and move to replace E311 form by introducing the capture of on-screen traveller 
declarations. 


Deployment of PIK to the top ten airports is expected to commence in March 2017. The airports scheduled for 
priority deployment of PIK include Ottawa, Toronto, Montreal, Vancouver, Edmonton, Halifax, Winnipeg, 
Calgary, Billy Bishop and Quebec City airports. 


Eligible Travellers 


For PIK, eligible travellers include Canadian citizens, Canadian Permanent Residents, U.S. citizens and all 
other Foreign Nationals, both visa-exempt and visa-required. 


Although the CBSA is targeting to direct 100% of travellers for processing via PIK, a subset of travellers 
will choose or be directed to in-person processing for a number of reasons including language, 
technology aversion, documentation issues, or age. Each CBSA Hall employing PIK will retain a number of 
traditional PIL booths for in-person processing. 


In a number of scenarios the client will ultimately be referred to in-person processing by a CBSA officer. 
The following non-exhaustive list provides examples of travellers who would be eligible to use PIK; 
however PIK will invoke exception processing in order to ultimately refer them to in-person* processing: 
e Eligible Foreign National travellers with an expired travel document 

e Travellers without a machine-readable travel document 

e Unaccompanied minor(s) (i.e., under 16 years of age) 


* A PIA has not been conducted for traditional Primary inspection by a BSO. As a result, privacy risks of 
in-person processing for travellers opting not to use PIK are unknown. 


Kiosk Processing 
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To use the kiosk, the traveller activates the kiosk touch screen and follows the on-screen instructions to 
complete their primary processing session. The traveller will be directed to insert their travel document 
into the PIK travel document reader, which will scan the Machine Readable Zone (MRZ) and initiate a 
passage risk assessment against CBSA systems. 


Travel Document Validation 


For travellers who present a "non-ePassport" PIK will process the traveller fully and record an indicator 
on the receipt, to prompt the Podium Officer to conduct a document and identity check on the traveller. 
For travellers who present an “ePassport” PIK will conduct an ePassport validation to confirm 
authenticity of the document and traveller, using the International Civil Aviation Organization (ICAO) 
Public Key Directory (PKD). This process will confirm that an ePassport has been issued by the 
jurisdiction with the delegated authority, that biographic and biometric information has not been 
altered, provide authentication to ensure the document is not a clone, and verify that the document 
does not appear under ICAO's Certificate Revocation List (CRL). 


Facial Authentication 


PIK will provide all travellers with on-screen directions to present for a photo (facial image capture). The 
traveller's photo will be printed on the traveller's PIK receipt to be used by BSOs throughout the CBSA Hall 
in order to confirm traveller identity and link each traveller with the receipt, and for non-ePassports with 
the travel document as well. 


For ePassports, facial authentication processing will also take place. The PIK will open the chip on the 
ePassport, access the traveller's digital image stored on the chip, and compare it to the photo taken of the 
traveller. The comparison of the two images to achieve a match will verify the traveller's identity based on an 
established match threshold as well as link the traveller to the ePassport presented. If the check shows a 
"below threshold" match, a CBSA officer will manually conduct a review of the traveller against the photo in 
their passport and make a determination as to whether they need to be referred for additional questioning. 
The manual review by a CBSA officer of the traveller against the photo in their passport will also take place 
for non-ePassport holders. The volume of the latter is expected to be low as more than 110 countries are 
issuing ePassports. 


The photo captured at the kiosk will not be stored separately in the CBSA systems; however, as it is printed 
on the kiosk receipt, it will be embedded in the PIK receipt image stored in the CBSA passage history 
database. 

On-Screen Traveller Declaration 

After PIK takes the traveller's photo, the on-screen traveller declaration process begins. The traveller is 
directed through a series of required customs and immigration questions. The on-screen declaration 


eliminates the need to complete the paper E311 Declaration Card, currently distributed on airplanes 
arriving in Canada. 


System Queries 
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PIK will query existing CBSA systems such as Interdiction and Border Alert System (IBAS) 

to retrieve Immigration documents, verify citizenship/immigration status, immigration lookouts (EH), and 
verify the travel document against the Lost, stolen, Fraudulent Document (LSFD) database and TUSCAN, 
query Integrated Custom Enforcement System (ICES) to retrieve any existing CBSA customs and law 
enforcement lookouts, and query Passenger Information System (PAXIS) to retrieve passenger flight 
number and identify flight crew. 


The system-generated results of the kiosk passage event, ePassport validation, facial match processing, 
and responses to declaration questions, will use a set of pre-derived business rules (e.g., whether the 
photo match meets the established threshold, whether the declared goods/currency is within the allowed 
exemption limit) to determine if a traveller is released to collect their bags, or referred for additional 
questioning. 


PIK Receipt 


When all system queries have been completed and the traveller's on-screen declaration has been 
finalized and submitted, PIK will print a receipt for the traveller(s) for use by CBSA personnel throughout 
the CBSA Hall. 


All PIK receipts will include the traveller's photo captured by the kiosk, certain biographical data of the 
traveller, travel document number, the traveller's flight details (i.e., air carrier code and flight number) in 
addition to CBSA refer-release coding. All PIK receipts will be collected by CBSA officers before travellers 
exit the secure area. In general, paper receipts will be destroyed, however, should a traveller be referred 
for additional questioning and an officer mark their receipt, the paper copy of the receipt would be 
added to their file as required. The CBSA will retain an electronic image of the receipt in accordance with 
access to information and privacy requirements. 


CanBorder — eDeclaration Mobile Application 


PIK will aiso provide an expedited functionality for travellers to expedite their on-screen declaration by 
using the CanBorder-eDeclaration app. The app will be available for download for free on portable 
electronic devices (e.g., smartphone, tablet) through third party distributors such as Apple, Google, and 
BlackBerry World. 


App users will be prompted, at the beginning of the kiosk session, to scan their eDeclaration QR code 
which will pre-populate the kiosk screens, reduce typing and expedite processing at the kiosk. Clarifying 
questions will be presented on-screen as required, and the traveller will be presented with an editable 
declaration summary. 


Clients who download the mobile app will follow the instructions to create traveller profiles for 
everyone in their travel group. Up to five traveller profiles can be stored within the app. The app is 
designed to limit data collection and ensure privacy. No biographic or travel document information is 
stored in the app. Each traveller profile consists of a nickname, and place of residence, as defined by 
Country (and Province/State for Canadian and U.S. residents). Travellers complete their electronic 
declaration by using the "My Declaration" function within the app. Data elements collected include: 
e Flight information (Arrival airport and arriving from) 

e Travel Group (confirmation of all travellers declaring together) 
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Duration of Absence from Canada or Duration of Stay in Canada 

Personal Exemptions / Visitor Allowances 

Value of goods (for residents exceeding their personal exemption limits only) 

OGD Questions (firearms, commercial goods, agricultural products, currency, unaccompanied 
goods, and farm visit) 


& 


Each My Declaration concludes with an editable review screen. Travellers must also review a Privacy 
Notice Statement before their declaration can be finalized on the app. Upon completion, the client is 
issued a QR code. A review of the Privacy Notice Statement is required each time My Declaration is 
completed. 


Upon arrival in Canada, the client scans their QR code at a Primary Inspection Kiosk. Each traveller is 
prompted, by travel profile nickname, to scan their travel document and present for a picture, at which 
time each traveller's declaration is reconciled against their legal name. The data transmitted to the kiosk 
by scanning the QR code, pre-populated their declaration and is presented as an editable summa ry for 
them to confirm. 


The traveller must certify their declaration at the end of the PIK session, and the session results are 
printed on a paper receipt generated by the kiosk. 


The mobile app has been designed to ensure the protection of privacy and personal information. Once 
downloaded on a client's mobile device (e.g. tablet or smartphone), the app operates entirely in 
airplane mode. The stand-alone application does not require data use/Wi-Fi access, does not connect to 
CBSA systems; no information is transmitted to the CBSA until the QR code is scanned at the kiosk. Each 
QR code expires 24 hours after it is issued; at which time all declaration data is deleted from the app. 
Clients can also delete their QR code or manually clear their declaration data at any time. 


interaction with CBSA Officers 

All travellers will continue to see a CBSA officer as part of routine processing. CBSA officers in the role of 
Podium Officer, Referral Officer, Roving Officer, or Egress Officer, will have the discretion to override the 
PIK release recommendation, and can ask travellers additional questions and refer them to Immigration 


and/or Customs Secondary for further examination and determination of admissibility. 


Once processed by PIK, travellers will fall within the following “status” categories: 


Status | Description 


>> Green 
| traveller to the baggage hall/ Egress. The Podium Officer (and in fact any Officer in the CBSA hall) 
retains the right to overturn the green status and refer the traveller to the Referral Officer and/or 
Secondary if deemed necessary. 
| Referred by PIK to Customs or Immigration Secondary. The traveller proceeds to the Podium Officer 
who further directs the traveller to the baggage hall/Egress, or in some instances, directly to the 
secondary processing location. 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act 


ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


Primary Inspection Kiosk | PIA 


— Yellow | Identified by PIK and/or the Podium Officer for further in-person processing/questioning. The 

| Podium Officer directs the traveller to the Referral Officer. Following a brief interview by the 

| Referral Officer, the traveller is released, the referral is maintained, or a new referral is created and 
the traveller is directed to the baggage hall/Egress, or in some instances, directly to Secondary 
processing location. 


Foreign Nationals: og - Cleared 


- US, Citizens 
naar FNs (eTA) 
; as - Visa Required | 
ud FN ^» Further if person processing 
required 


Canadian 4 
itizens 


Podium 


Referral 
Management 


| Secondary 


Rover - 


Canine Unit 850/Rover 
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For Section 2, check the appropriate box that describes the level of risk related to your program or activity and 
provide details as indicated. Please note that answering "yes" or "no" without providing explanatory details ma y 
trigger more questions from the Office of the Privacy Commissioner. 


Please ensure that the details provided respond to these 4 elements: 
1. Necessary: /t must be demonstrably necessary in order to meet some specific need 
2. Effective: It must Be phe rie likely to be effective n achieving it its intended purpose. In other words, it 


Proj ;ortionate: The intrusion on privacy must be ia anal to the security benefit to be derived. 
4. Minimal: and it must be demonstrable that no other, less privacy-intrusive, measure would suffice to 
achieve the same purpose 


pue e T pen ese E TEMERE WT UNE "e RR dem . oe 
Program or activity that does NOT involve a decision about an identifiable individual m. 
Administration of Programs / Activity and Services [| 2 | 
Compliance / Regulatory investigations and enforcement 
i Criminal investigation and enforcement / National security | 


| Detalls, PIK collects the ~ required Perana in information ies from the traveller fot the determination Br 


E. 


| The information collected from travellers through PIK is the same as sthe information collected 4 at Paman | 
| Inspection Line with the exception of capturing the photo at the kiosk and printing on the receipt. in fact, with | 
| PIK, the CBSA will be reducing the data elements collected to the minimum required for traveller p processing. | 
| For example, instead of full address, travellers will be asked for only province for Canadian citizens and country | 

| for foreign nationals, purpose of trip will only be collected from foreign nationals. oe | 


Necessity 


| The standard border wait time at an airport is set at 20 minutes or less and is used as a measure of efficiency. A | 
_ CBSA study (draft) finds that a wait-time higher than 20 minutes at the top eight Canadian airports have cost 
| billions of dollars to Canadian economy. The estimates suggest that in FY 2016-16, 2.1 million international 
| travellers decided not to travel to Canada due to higher border wait time. : 
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| clearance continuum verify : and co confirm a a traveller E s identity. The photo i is s essential in order to reconcile the 

| traveller presenting themselves to a BSO with the self-service kiosk risk assessment results printed on the © 
| receipt. in essence, the photo on the PIK receipt allows for the highest level of confidence in traveller 

| identification under a self-service kiosk operational model, and does so without a negative impact on border 
| | wait times. 


Currently, under the ABC model, the Document Verification Officer (DVO) whom travellers see post- kiosk 
transaction has to open each passport, look for the traveller name and compare that to the name printed o on 
the kiosk receipt. For program integrity purposes, the officer has to pay careful attention especially where | v | 

names are ue id hyphenated: etc. d andr make sure it matches ther name P on the IR ipt. This — 


DVO has ripple effect causing not [only border wait times, but bottlenecks, congestion in CBSA Hall oe 
| extending to corridors, and flight delays or missed flights. With travellers increasingly accustomed to 

| automation and fast processing the bottlenecks and long wait time leads to frustration, complaints and 
criticism as was recently reported by several media outlets. : 
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When presented with a receipt containing the traveller's photo, the BSO at Podium (same as DVO under ABC) 
can n qui ey compare me s on the oy with the traveller before ehm ner, thereby streamlining | the 
match: score, the kiosk will print a » notification to Padlum. The BSO at Podium would be able 1 to very if che iow 
| match confidence score is due to a bad photo captured at the kiosk (e.g., the individual’s face is not visible 

| because they were looking to the side or down) and resolve the i issue quickly with minimal delay to the 

| traveller. In the absence of a photo on the receipt, all such c ses will have to be referred for further 

| investigation to ensure the travel document is genuine and th e chip has not been tam pered with. 


POS 
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| Effectiver ness 


| 


la sufficient importance to be characterized asa ee of fundamental justice" given tt pat effect 
ma nagement s serves a number of crucial social interests that benefit the Canadian public.” | 
The adoption of self-service kiosk for air traveller processing is derived from the Government of Canada” s need 
| to process rising volumes of international air traveller within the standard wait time wh e safegu ord 

| integrity and national security. The PIK receipt forms an integral part of the kiosk proce | 

the receipt is essential in order to link a traveller and the results of risk assessment proce 

the self-service passage event. Removing the photo from the PIK receipt would be the equivalent o 

the photo from a Dee of identification. _ 


on the Hehe à 


Program Integrity — Better protect the integrity of Canada's immigration program by preve 


^ R, v. Simmons 1988 SCC 495 at para 49. 
* R. y. Jones. 2006 OCA para 31 
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| cases of non- compliance, f fraud and misrepresentation. | 
| Minimal TERRE | 
| | The CBSA ie examined less privacy-intrusive measures, including status quo and technological solution. | 2 


Status quo — as demonstrated above, status quo (i.e., opening the passport of each traveller to variare th : | d 
' name of the holder or travel document number with the name or travel document number printed on th 2 ki DSK 
Teeny is operationally inefficient and n not t feasible as sit will cause e congestion in the CBSA Hall, |, flight 


frustration at the long border wait times at airports anda are e requesting the Govemment to revisit. ts prc cesses 
| to make the wait time shorter. D 


j 

| Some high-risk | 
| travellers may not be identified and intercepted, resulting in individuals presenting: 3 potential risk t to national | 
| security and p public safety and controlled, regulated, or prohibited goods, allowed entry to Canada. 
| : 
| Technological Solutions — the CBSA looked into the option of a handheld device for Podium and Egtess. Under 
this option, a barcode will be printed on the kiosk receipt for BSOs to scan through the handheld device to 
confirm omiy, link traveller t to the ei and confirm refer 5 rerease status. an device would a helpt m 


: not feasible: at tthis time à especially] in light a ofe curre it es 
forward for the next PIK iteration, PIK 2.0. =n o re : - e * 


| Type of Personal Information Involved and Context “tevel of Risk 
| Only personal information, with no contextual sensitivities, collected directly from the [| 1 


individual or provided with the consent of the individual for disclosure under an authorized 

program. 
Personal information, with no contextual sensitivities after the time of collection, provided by 2 
the individual with consent to also use personal information held by another source. 
Social Insurance Number, medical, financial or other sensitive personal information and/or the 3 
| context surrounding the personal information is sensitive. Personal information of minors or 
| incompetent individuals or involving a representative acting on behalf of the individual. 


| Sensitive personal information, including detailed profiles, allegations or suspicions, bodily Lia 
| samples and/or the context surrounding the personal information is particularly sensitive. 
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This information i is compared against ast information 1 found i in other CBSA information sources to determine 
whether or not the travellers are to be referred to Secondary for a more comprehensive investigation. This 
| information may have originated by direct or indirect means. Specific data elements of the personal - 
information will be limited to Biographic Entry Data, specifically: Name (First/Given Name, last -— 
Name/Surname), Date of Birth, Province for residents, and Country for Foreign nationals, 
Wax Uh Sender, Document hee Document Number, Document Y of Issuance, Duration 


- financial informatien are not collected. 


PIK process and information flow is demonstrated in Diagram 1 in Section 4.1. Data elements exchanged 
between the Kiosk ang CBSA backend OE Auring travellers session, context, data a elements stored b r the 


| 

| information hon traveller to othe kiosk to CBSA and back to the kiosk are depicted; in diagrams 2, 3 and 4i in 
| Section 4.1. Note: the information in the table correspond to the steps/information flow p presented i in the 

| diagram 2,3 and 4. 

| 
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Program or Activity Partners and Private Sector Involvement Level of Risk 


Within the CBSA amongst one or more programs within the CBSA) 


. With other federal institutions 


With other or a combination of federal/ provincial and/or municipal government(s) 


| Private sector f organizations or international EE or Sinn PORETERNE 


minim minm i A ri e m T T OC CN REI NR RO AAA e A th nn Rt ST TAPPA (RRA A a t d e en ann xx nn OR 
1 


governs the s relationship a and outlines each party’ S obligations with respect t to the kiosk device. TheC CBSA, asa | 

| full partner in kiosk design, testing and activation is responsible to ensure the proper functioning of the kiosk — | 

| and adherence to information management and information security requirements. Information collected i is | 

| encrypted at the kiosk before being securely transferred through a VPN to CBSA back-end systems, where 

| queries are conducted and determinations are made. Information is again encrypted before it is sent back to | 

the kiosk. The data is erased from the kiosk in a way to make it irretrievable on completion of the traveller’s | 

| passage. event. At no time will the Airport Authority have access to the information contained in the CBSA back- | 

| end systems. Disclosures of information to other government departments occur after processing. | in this PIA | 
| only disclosure of information to StatCan is addressed, disclosure of information. collected through PIK to other | 
| government departments (i.e., ESDC) is not addressed ; as discussions are still in preliminary stages. 1 An 

| | amendment to the PIA will be made once an agreement h has been reached. | 


Lin terms of disclosure of travellers' data to StatCan, all paper E311 customs declaration forms: are | 
sent to StatCan monthly for scanning to JPEG files (in other words, a ' “snapshot” is taken of each declaration), | 


| and StatCan returns a hard drive to CBSA with the captured E311 JPEG files. Annually, this represents over 20M 

| records that are returned to the CBSA. Other Government. Departments leverage this E311 JPEG data as well. 

With PIK, travellers’ data will be captured in discrete data fields, and transferred electronically to and 

| automatically stored in a CBSA repository. The CBSA is developing an automated method to extract selected | 
traveller data and electronically transmit it to StatCan by secure means. The traveller data sha ring with StatCan | 

| is addressed in more detail in section 4.4. | : | 


Duration of the Program or Activity - Level of risk 
One time program or activity : [| 1 
Typically involves offering a one-time support measure in the form of a grant payment as a social support 
mechanism. 
“Short-term program [j2 


A program or activity that supports a short-term goal with an established “sunset” date. 


| Long-term program 3 


Nei program that has been modified o or is is established with n no o clear” “sunset”, 


i 
i 


Landi isa a long te term initiative fr the CBSA. Through the implementeren of PIK, t iafrasteucture changes, will be - 
| made within the CBSA service areas; traditional primary iin booths will i removed to o free «p space and 
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| complete additional < administrative tasks and broadening the number of travellers eligible for self-s service. 
processing. : 


| Implementation of the PIK initiative will automate administrative tasks, freeing up CBSA officers to focus on 

| judgement-based and enforcement activities at ports of entry. All travellers will continue to see a CBSA officer 

| as part of their entry to Canada. The on-screen declaration and mobile app will also allow the CBSA to phase 
| out the current Declaration Card distributed on-board aircraft, reducing paper consumption and saving oe : 
| $10 million per year through digital service delivery. D 


| Program Population 7 | Level of Risk 
| The program affects certain employees for internal administrative purposes. c 1 
The program affects all employees for internal administrative purposes. | | ]2 
The program affects certain individuals for external administrative purposes. E 3 
The program affects all individuals for external administrative purposes. | ]4 


- Details: This initiative affects individuals who present themselves at kiosks, see king entry to Ca nada at specific 
airports. Primary processing occurs when an individual seeks ent ry to Canada, regardless of whether the | 
_ individual chooses to use a PIK or present themselves to a traditional Primary Inspection Line. While PIK is a 
new tool, the collection of personal information to support the primary processing, with the exception of 

: collection of the photo, remains largely unchanged. ( : 


Technology and Privacy 


- 6.1 Does the new or modified program or activity involve the implementation of a new deoi E (| YES 
| system, software or application program including collaborative software (or groupware) that [ ] No 


is implemented to support the program or activity in terms of the creation, collection or 
handling of personal information? 


6.2. Does the new or modified program or activity require any modifications to IT legacy systems 
and / or services? 


6.3 Does the new or modified program or activity involve the implementation of one or more of 
the following technologies: 


6.3.1 Enhanced identification methods: | YES 
This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, L] NO 
fingerprint analysis, voice print, radio frequency identification (RFID), etc...) as well as easy 
pass technology, new identification cards including magnetic stripe cards, ^smart cards" 

(i.e. identification cards that are embedded with either an antenna or a contact pad that 
is connected to a microprocessor and a memory chip or only a memory chip with non- 
programmable logic). 
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6.3.2 Use of Surveillance: 
This includes surveillance technologies such as audio/video recording devices, thermal 
imaging, recognition devices, RFID, surreptitious surveillance / interception, computer 
aided monitoring including audit trails, satellite surveillance etc. 


6.3.3 Use of automated personal information analysis, personal information Matching and 
knowledge discovery techniques: 
For the purposes of the Directive on PIA, CBSA is to identify those activities that involve 
the use of automated technology to analyze, create, compare, cull, identify or extract 
personal information elements. Such activities would include personal information 
matching, record linkage, personal information mining, personal information comparison, 
knowledge discovery, information filtering or analysis. Such activities involve some form 
of artificial intelligence and/or machine learning to uncover knowledge (intelligence), 
trends/patterns or to predict behaviour. 


Personal Information Transmission | v Level of Risk 


The personal information is used within : a closed system. 


No connections to Internet, Intranet or any other system. Circulation of hardcopy 
documents i is controlled. 


: The — information is used i in system that has connections to at least one other system. 
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Primary in ddl Kiosk 


The personal information is transferred to a portable device or is printed. | x] 3 
USB key, CD-Rom, laptop computer, any transfer of the personal information to a 
different medium. 


SARA EEE EE ER ida ann an ane ARAS ASA S ttti ARR Aet han ere T EE (RR ARA KA PIE ER ER AIEEE AARAU Iu as Wet e mer rne sien Anam 


| Details: Requirements for the kiosk sett up, AU connection and routing of information a are part of a | 
Service Level Agreement between the Airport Authority and the CBSA. No kiosk will be activated until til cum ; 
| has confirmed it meets the requirements specified; before activation, the CBSA must issue a digital certificate - * 
to each kiosk, 1 to > digitally Sign the SOAP inessage for Blu verification and ae af the Message, which | 


[eñcrypted) TI T n connection (HTTPS) to the CBSA reverse ! proxy server rto ensure s confidentiality of He. S us - _ 
| information exchange. All traffic generated from the kiosk to the CBSA will be routed over the Internet through 
| a managed and encrypted VPN connection to also ensure additional confidentiality and isolation of the message | 
| traffic over the Internet. All kiosks messages are authenticated through SiteMinder technology and then | 
provided authorization to access PIK Services deployed on the CBSA Secure Cluster as well as supporting 
| services deployed i in the CBSA operational restricted zone. Diagram 6 in Section 4.1 address information : 
| transmission. | . : | 
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- Risk Impact to the CBSA | .— Level of Risk 


. Managerial harm. FI 
Processes must be reviewed, tools must be changed, change in provider / partner. 


| Organizational TN | [| 2 
Changes to the organizational structure, changes to the organizations decision-ma king | 
structure, changes to the distribution of responsibilities and accountabilities, changes to 
the program activity architecture, depa rture of employees, reallocation of HR resources. 


Financial harm. | 3 
Lawsuit, additional moneys required reallocation of financial resources. 


: Reputation harm, embarrassment, loss of credibility. [x] 4 


Decreased confidence by the public, elected officials under the spotlight, institution 
strategic outcome compromised, government priority compromised, impact on the 
Government of Canada Outcome areas. 
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D Details: In the. event of a breach of the personal information collected and transmitted by the PIK, there would | 
| bea decrease in public confidence regarding the CBSA's ability to responsibly handle personal informatio ion. The 
| DU 
| 
a 
E 


Service Level Agreement, initiative design, systems architecture and configuration requirements. prc | 
cu 

adequate level of protection to mitigate this risk. Given the safeguards in place, moving to electronic ction | 

| of data represents a lower risk than the manual collection of data using the legacy paper declaration forms. _ 
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Risk Impact to the | ndividual or Employee : | — | Level of Risk 
nes m non | Cm ! P 
Reputation harm, embarrassment. BN x12 
| Financial harm. i | [x] 3 
Physical harm. 000 Oa | 
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| there could be the possibility of identity theft of the individual. Again, the Service Level Agreement, initiative 
| design, systems architecture and configuration requirements provide an adequate level of protection to 
| mitigate this risk. 


| | Details: In the event ofa breach of passport J travel personal information collected and transmitted by the PIK, | 
| 
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| SECTION 3 - ANALYSIS OF PERSONAL INFORMATION ELEMENTS 


Personal Information Elements and Sub-elements - Kiosk 


The bind table lists the personal information elements collected via PIK. 


DE G t 


| Galea Of E Personal Information i Personal information E | | Purpose / Necessity | 
; | | i Format | Source i i 
| Personal Information | Element | Sub-Element | of Element 
| E i i i 
pr cessor ane, 1 — o nee Owen a aa e TU ERA MCI AIR Es E Hennes o aa MAREA pes abinnennnahn nhs E ape = i — —— cU EE. 
Name - i 1) Name 1} Last name, first name, middie | Electronic Derived from the To documerit border crossing; identify travellers i in existing CBSA information holdings and j| 
; initials i i travel document at | assess admissibility. | 
i i | the kiosk | | 
T s — ORE = araa bene PUE eet oe $ * e i e —  —  áná NE OTRO UIDETUR x. 
| Province/Country 1) Country i Electronic | Traveller data entry i To document border crossing; identify travellers in Bxising CBSA information holdings and | 
| Information | 1) Partial Address 3) Province (for residents of Canada) at kiosk | assess admissibility. Place of residence is also used to determine which additional customs 
| 3) State (for dent of the u. E 3] | related questions are asked to a traveller (i.e., defines resident vs. non-reside t} : 
| Biometric 1) Visual image 1) Visual image of the kravaller | Electronic | Photo rapture à at the : To autheriticate that ihe client i in front of the kiosk corespund with the individual's. proto 


kiosk i embedded in the chip of their ePassport chip (for the clients that have this feature in their 
passport). For all clients, the photo will be printed on the kiosk receipt as a means of 
i connecting the individual(s} with their declaration throughout the rest of the CBSA service | 
| area. CBSA officers will manually authenticate that the individual(s) presenting the receipt i 
| are those featured in the photos. This will improve traveller flow, strengthen travellers’ | 
identity reconciliation, 


| E te ei P AREE ta Se ie a I einen PE 
| 


taken by the kiosk. 

| 

|| (Note: visual images are only 

K captured for travellers that are 14 


| years of age and older.) 


I 
| 


| : : 

a — a MES — — D —— aaa: Debo — SRE AM ; nd e: reins 
pones | 1) Citizenship / | | 1) Citizenship n Ratianálty of | Electronic! Derived from the | To document border crossing; identify travellers in existing CBSA information holdings and 
Nationality | | Nationality | traveller ; travel document at | assess admissibility. 

] | j ; the kiosk | 
| Purpose of Trip , Purpose of trip | 1) Personal | Electronic | Traveller data entry | Toa assess admissibility ak duisi: national travellers, 
2 | 2) Study | | at kiosk | | 
d d i i i | 
| | 2) Work or Employment j : 
| | 3) Immigrate | | | | 
Dee E PEEL oe der ad ucc à ; iuc c uus pl i va Apud aito PEL nn TIS Y i 
Date of birth Date of birth 1) Day of birth i Electronic : Derived from the i To identify travellers i in existing CBSA information holdings and assess adrnissibility. | 
| 2) Month of birth i travel document | 
| | | 3) Year of birth | | 
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Gender | Gender i Gender of Traveller | Electronic ; Derived from the | To identify travellers in existing CBSA information holdings and assess admissibility. 

| | | i travel document 

—————————— a j — s anaana aana ma miam. ————M——————————Ó ARIA Fees —— arena. t ————— € 'J' a a a aa a aaa à à A IER ——— — NICO MTS RE MEM! 
Travel Document | 1) Travel Document 1) Document Type | Electronic | Derived from the To document border crossing; identify travellers in existing CBSA information holdings and | 
Information (may ; Information 2) Document Number : travel document , assess admissibility; to verify the validity and authentication of the travel document. In the | 
be their Passport) i | 3) Document Caünitry of Issuahce | ; | past, a CBSA officer would manually verify the travel document; through PIK, the kiosk will | 
| ; _ conduct these tasks, validating the document against PKD information, 
| 4) Document expiration date | 
| | ij | 
i 5) Public Key Directory {PKD} | : 
oe RP NES | DUNT e 
Customs and OGD | Declaration | Declaration questions related to: Electronic | Traveller data entry | To assess duties and taxes; to assess goods admissibility. Í 
Related Questions questions | 1) Firearms or other weapons | at kiosk | | 
| 2) Commercial goods | | | 
| | 3) Food, plant or animals : 
i 4) Currency (more than $10,000) — | | 
| . i l 
| : 5) Unaccompanied goods i | | 
| ; 6) Visit to a farm abroad and ; | 
| : destined to a farm in Canada i 
| | Declaration related to personal | | 
| | exemption (returning residents) and | | ; i 
| allowance (visitors); and value of | i | 
| goods for travellers indicating they | | : | 
| | exceeded their exemption limit. | i i 
IDEEN SU ROI ae LU EIQUE AXI MU QA PEERS TEMA sp A He : LE MESE ERAN SE RM ELLA a a ON EH CRUEL EIEL TET = rs. 
| Duration of stay in | Duration of stay in | Duration of stay in.Canada Electronic | Traveller data entry | To assess admissibility of foreign national travellers. i 
| Canada | Canada i | | at kiosk | | 
peng A EEE - MN LU MM NNNM MM ra Rp Mc LM MD CHE m | EFE SE MM] f OPETAN EE TET EDERE NNE 2x Pipita Sas = E s en RAS ma ee sn | 
i Duration of stay Duration of stay | Duration of absence from Canada Electronic | Traveller data entry | To assess traveller exemption allowance for Canadian residents | 
À " t ł k | 
i outside of Canada outside of Canada i | at kiosk | 
oe a CE OE EE — BLEND EH M mou puce E NRI UIN SE DEEE EO ERE REIHEN EU ete ~ 
: Signature Electronic Signature | Physical signature replaced by on- Electronic | Traveller data entry | Validation of the information provided. | 
| | screen confirmation that the | at kiosk | 
i declaration ís true, accurate and | 
: | complete. i | 
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The following table lists the personal information elements collected via the CanBorder-eDeclaration app. It is important to note that the app provides travellers an opportunity to complete their 
declaration in advance of arrival; however, it has been deliberately designed to capture the minimum information required to that of a non-sensitive nature. Travellers are identified solely by 
nicknames within the app. At the kiosk, each traveller will be prompted by nickname to scan their travel document and present for a photo, reconciling the declaration stored within the OR code, 
with their legal name. No information is transmitted to the CBSA in advance of arrival as there ís no connection between the mobile application and the CBSA's systems. Each traveller declaration will 


be reconciled with a travel document scan and photo at the kiosk proper. Additionally, app users will have the opportunity to review and edit their declaration on the kiosk, improving data validity 
and ensuring every opportunity to make a full and complete declaration. 


i LONE MM Per MEE baee um Mu E cU M ED Gi sore ge = 7 DL IQ. NEN NEL RD dL LU P QM CNN LM E IQ LUE. 
| ersonai : : j : : 
j Category Of : : Personal Information Foo ] Purpose / Necessity : 
; i . Information : Format : Source ; 
: Personal Information : | : Sub-Element : : j| of Element i 
PEO E E E eta enon . EREET m ru Fasc sete dea AN E "— E: 
| Province/Country | 1) Partial Address 1) Country | Electronic Traveller data To document border crossing; identify travellers in existing CBSA 
: Information 2) Province (for residents of Canada) | entry on the information holdings and assess admissibility: Place of residence is 
i | | : : ; ; S d i hi itional cus! lated questions 

| 3) State (for residents of the U.S.) , | app also used to determine which on customs rela ec qu 
| : i | are asked to a traveller (i.e., defines resident vs. non-resident). 
BEP NOMINEE M ee PIS M DOLCE UM ye E POMS eg uS: Ne (PENNE NM IU MIU Seen E oe S 
| Purpose of Trip | Purpose of trip : 1) Personal | Electronic | Traveller data To assess admissibility of foreign national travellers. | 
| | | 2) Study | | entry on the | 
| | | 
i | | 2) Work or employment | SPP. : j 
| | | 3) Immigrate | | 
] ——— UU STATUS RA menena cases, i — — ERA pese EUR PANES P LEER | ECTETUR a en ee ee - E 
| Customs and OGD i Declaration : Declaration questions related to: Electronic l Traveller data i To assess duties and taxes; to assess goods admissibility. | 
Related Questions | questions | 1) Firearms or other weapons ;entryonthe — | 
f i i j ‘ 

| 2) Commercial goods ou | 
| | 3) Food, plant or animals i | 
j : 4} Currency (more than $10,000) 


5) Unaccompanied goods. 
6) Visit to a farm abroad and destined to a farm in Canada. 


i 
Declaration related to personal exemption (returning | 
residents) and allowance (visitors); and value of goods for | 
travellers indicating they exceeded their exemption limit. 


Peta PEN CRIE MET . Š eae i 
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c. --— i ee i a E DS 
Continued 
i Duration of stay in | Duration of stay : Duration of stay in Canada : Electronic — | Traveller data To assess admissibility of foreign national travellers. i 
| Canada | in Canada | i | entryonthe — | | 
| 2 | | app. | | 
i i TA H oe HH a Er NS Propre 7 ere = : URGTWNIMT EPIFT TRO SN y RE py Dee ue EC Mni ne Sage ven UE pos E E 
i Duration of stay ' Duration of stay Duration of absence from Canada | Electronic | Traveller data : To assess traveller exemption allowance for all Canadian residents. | 
| outside of Canada | outside of ] |entryonthe | 
| | Canada | app. | 
- ds uu. re LEE. nn en PM c LAE UTER zx Qum can ie E acd ——— ROS pen aes 3 
Signature | Electronic | Physical signature replaced by on-screen confirmation that the | Electronic : Traveller data — | Validation of the information provided. App users will review their | 
| Signature | declaration is true, accurate and complete. : entry on the | full declaration before generating their QR code and will be i 
i | j | app. presented with an editable summary at the kiosk for final | 
| | | | confirmation. | 
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SECTION 4 - FLOW OF PERSONAL INFORMATION 


4.1 Data Flow Model - Diagram 


Diagram 1— 


- Call to the PIK back-end system 


API- Advanced passenger information - passenger information transmitted to the CBSA from carriers prior to departing for Canada. 
CBSA System - the PIK back-end system that receives and transmits data to the kiosk, queries various agency databases and 
formulates a refer/release recommendation. 
MIRZ - Machine readable zone, is the area on a document encoded with travellers biographical data. 
PAXIS - is a secure system used by CBSA to review of API/PNR data related to persons scheduled to arrive in Canada. 
PKD -ICAO's Public Key Directory (PKD) is a central repository for exchanging the information required to authenticate 
ePassports, 


The déclarsiion deta from the GR code scan wil be 
displayed for the travetler(s) to confirm, including: 


QR Code -a two-dimensional, machine-readable, optical label that uses a number of encoding modes to store data. M CESA System wil query the 
Batak | foftowing mis: 
- Residency iod: 
Í Exenir ier PNE information re 
Kiosk will di names and ~ Exemplen er nons m - immigration status 
SURG MAN RDUM - Answers to the OGD questions - EH pokou 
favel party. + TUSCAN Iokouts 
^i SFO (Passport Canada) 
The kiosk will capture the photo Kiosk wit display - Canadian Citizenship! PR Status 
Optisan i of a8 aveis, except minors number pulled from API 
Traveler scans GA code contain under 14. data from PAXIS. The Special questions to Y Travéller(s} are -ICES 
decteration information Ded. trevellar(s) will Nave the option À deal with special required to certify ~ aan gono i " 
using CanBordel j ó of overrking the flight number. cHcumstspces (e.g. | that fheir declaration ~ wants. and warten 
PR E: QR code is transmited te CESA Ebola} istrue, accurateand | - Customs enforcement data 
System, dala is extracted and sent Flight crew members wilt also compete. = GSIS lockouts 
back to kosk. be identified at this point. T CHER 
3$ Declaration 


E Confirmation: He 


3d Welcome f 


8 in Travel 


| Alt members of the 


Party; 
Residency 


From 


Kiosk will only accept | Passport information 
passports and sant to CBSA System 
Canadian Permanent | and PAXES query 


of Stay or 
Absence 


The travellers status 


| All travellers will be asked: 


| The receipt wil 
display the refer f 


| Resident Cards. The osk wil recommendation, 
ee | travel party must have | MRz data is dom da s. | beprompiedto | wibe asked to will determine if they pidan 
Gotion 2 es ine same residency: | interpreted when the | PKD validation wal be with an ePassport by : contin their duration. | are eligible for lame are bringing into Canada: Podium notification 
Jravetier(s) commences the manual. = Province fog traveler scans their pertonmed on aii comparing the photo - Visit of absence. Visitors exemptions.or (f) Firearms or other weapons (eg. switchbiades, Mace or pepper spray) codes, biographical 
Geclaration process by selecting their e peri aaa document, ePessports, to captured by tha kiosk to the ~ Work wii be asked to allowances. Travellers | (2) Commercial goods, whether or not for resale {e.g. samples, tools, data from travel 
Preferred language, - Slate JS. continms: i i ~ Study confirm thier duration. | immigrating to equipment) ument, photo 
Citizens MRZ elemonis: - The document was Pre moree on heeds: + Immigrate of stay. Temporary — | Canada bypass this. | (3) Raw or cooked meat, fish, seafood, eggs, dairy products, fruits, ird by Kiosk, 
- Gauntry for Foreign. | | Document type issued by 2 Residents will be question. vegetabies, seeds, nuts, flowers, insects, bibs, plants, wood, Rve duration of stay ar 
Nationals - Sub-category of bone fide authority asked ts enter both. animas or any other anima: ov plant parts oe their derivatives date teft Canade 
document type ~The Bograptical Those immigrating (4) Currency enc/or monetary instruments totaling CANS10,000 or more Fight number, vie 
Aning from - issuing country ant biometric bypass this screen, at goods, and 
-US. Names information fias not Vwe have: partinent OGD 
- Other country drect | Document number bean altered (S) unaccompanied gonde responses. 
- Other country via - Nationally - Authentication and (8) visited a farm and wal be going to a fam in Canade 3 
US. ~ Date of bisth ensure the 
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Data 


| Personal Element 
Destination | Data and Context | Traveller Comments Stored in 
| Data? CBSA 


| System 


Kiosk Message #1 | Kiosk will capture and send Biographic and initial Declaration Data to CBSA 


Selected Language for pre-processing & eligibility to use Kiosk. Yes - ICS 


Travel Document MRZ | Yes - ICS 


Includes Name, Nationality, DOB, 
Yes - ics 


Gender 
Yes - PAXIS 


PIK Service 


getFlightData Surname Surname of traveller 


First Name 


First Name of traveller 
Date of Birth 


PIK 
Service 


Yes - PAXIS 
Yes - PAXIS 


Date of Birth of traveller 


Travel document number 


Document Number 


Yes-ICS — 
Yes -1CS | 


| Port of Departure Yes - ICS 
No Port of Arrival Yes - ICS | 
| Flight Number Yes - ICS 


Carrier Code (IATA) Yes- ICS 
Yes - ICS 


Yes - ICS 


Combined Name of traveller - 


Date of Birth ii Date of Birth of traveller 


| Document Number 


Travel document number 


| Port of Departure 


Port of Arrival 
Flight Number 
| Carrier Code (IATA) 
Carrier Code (ICAO) 
Code Share List 


PAXIS PIK Service 


Yes -ICS 


Yes - ICS 
Yes — ICS 


PAXIS Traveller Identifier 


PAXIS Traveller 1D *only if traveller 
is found 
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Result 


PEK 


Kiosk Message 82 | Kiosk 


| 
| 


$ 
H 


I 
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Service 


Kiosk 


P IK Service 


PIK Service will return a success indicator if traveller is eligible to use the Self 
Service kiosk, as well as flight data found for the traveller and the dynamic 
OGD/SOGD question set in their chosen language. 


Eligibility code 


Flight Number 


Dyanamic OGD/SOGD question set 
in chosen language. 


Kiosk Identifier Unique identifier for the Kiosk 


Selected Language No Chosen language to be displayed on all kiosk screens 


Privacy Acknowledged No Indicator that the privacy disclaimer was agreed to 


indicator if mobile eDeclaration presented to kiosk to initiate the Kiosk 
session. 


Mobile App used Ind. No 


| # of travellers in group 


| Number of travellers in group 


indicator that the declaration was certified by the traveller 


Declaration Certified Ind. No 


Country and Prov/State only Yes - ICS 


The flight number returned from CBSA based on pre-arrival data supplied by 


Flight Number No ; | 
air carriers. 


Yes -1CS 


If no flight was returned from CBSA, or there was a manual correction made 
to the flight number by the traveller. 


Manual Flight Number Entered Yes -ICS 


| Arriving From US Direct, International, Other. 


Travel Document MRZ Yes 


ICs 


| Yes - 


Yes -1CS 


Biographic Data inlcuding Name, Nationality, DOB, Gender. 
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| ePassport Chip Data Yes Biographic and Photo encoded on the ePassport chip. 


Declaration Data includes answers to declaration questions, including 
OGD/SOGD equivalent to E311 data. 


Declaration Data - Purpose of trip, 
duration of stay, duration of 

absence, value of goods, answers 
to OGD/SOGD questions. 


Traveller Photo Live photo taken at Kiosk. 


Facial match result 


Travel verifying the digital signature against ICAO's PKD. 


Document Travel Document MRZ 


PIK 


: Verification 
Service i 
Service 
(TDVS) : 
ValidateTravel 
Document ePassport Chip Data (if ePassport) 
Travel Document MRZ Yes The MRZ String being verified 
S Verification Result 
PIK Service 
Result Reason 
PerformRisk ai IBAS 
Assessment ; (through Travel Document Number 
Service 


Passage 


Canada Border Services Agency mu 


The Kiosk is reponsible to conduct facial matching of the live photo against 
the ePassport photo, and supply the matching results calculated by the Kiosk. 


nternal to CBSA, Biographic Data and Photo is delivered to backend service 
that verifies the travel document is valid and has nat been tampered with by 


No 


Yes -1CS 


No 


Yes - ICS 


Yes -IC$ 


Yes -IC$ 
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IBAS 


PIK 
Service 


ICES 
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Services - 
CQ) 


PIK Service 


ICES 
{through 


| Passage 


Services - 


| CQ) 


PIK Service 


Given Names 


Traveller Name 


Surname 


[Gender — 


| DOB Day 
DOB Month 


| DOB Year 


Citizenship 


Serial Number 


idType B 


CounterfoilCategory 


issueDate 
ExpiryDate 


| Country — — — | 


Status 


Travel Document Number 
Traveller Name 


Given Names 


Surname 


Gender 


Yes 


Yes 


PIA 


Surname, Given Name 


Traveller Biographic Data, as stored in iBAS (from IRCC, GCMS System} 


IRCC generated data, representing Immigration Permit Data 


Travel Document Number - 


Surname, Given Name(s) | 


Traveller Biographic Data, as stored in ICES 


Yes - ICS 


Yes - iCS 
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A list of previous enforcement actions taken against the traveller : 
| Yes Yes - ICS 


Previous Enforcement Actions 


I E NS 


An indicator if the traveller has a lookout created, by lookout type. 
Yes Yes - |CS 


Lookout indicators 


A confidence percentage match between name supplied and ICES record. 
No ae 
No 


Percentage Match Indicator 


Response Code 


Generated 


Yes - ICS 


A Success or failure indicator for the self-service session result. 


Biographic data and Photo captured at kiosk as well as Travel Document - 


PIK Kiosk Number and CBSA referral codes are printed on the receipt. Yes - ICS 
Service | (CBSA copy 
H Y 
Receipt es of generated 
receipt) 


ANA —  —— eee po à À 2, 
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| Primary Inspection Kiosk (PIK) Initiative 1.0 $ 

AUD - Traveller Presents for Primary Processing at Kiosk ~ Kiosk Message #1 y 
5 *.Beginosksession, — ^ 
ro _issinct language, declare Seo ejos Bow LL Process Self mn EON 
2 |plaze of residence and scan DS rA 
ER ‘ave document E. 


y Ban ANT A i MATE IAS E ca M NS 
74 Opensecum — m é 85. Kiosk receives 
: BSA an ees 


Secure VPN runner D 
E T Secure VPN tunnel 
aver the Internet hi 


Ks E 

5, VerBy digital signature | i * { ; Over the Internet 
and valida: Kiosk |< Valid? ^ | Cd Sand CBSA sponse i 
i 
oo 


iireject jte Kio 
lrequest message | ed Hreject message) to Kiosk, 


n ý go oU 
7" Rejected message data 
is ot stored 
/'9. Retrieve pre-depenure X 
Flight Data based on travail! 
Biographic Data (Name, 
‘DOB. Travel Document) 


massage including Flight Data 
and Dynamic Question Sat io 


= 


Legend : i ; | 
Primary Flow V. Business Process P. aad | Automated IT Service CÉ secure Connection 
— —h  sAiternate Flaw e 
* be 3 ef, E 
"7 Decision c Restricted Access wk ; 
CJ start Process aod Travelier Pracess 
a End Process <B> Concurrent Processes 5^ MS Data Repository CO Process Continued j 
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Diagram 3 — 
] 
& 


^s 


Primary inspection Kiosk (PIK) Initiative 1.0 
1.1— Perform Primary Processing Assessment of Traveller — Kiosk Message #2 


"s 


£ 
| +. Present for photo and 

ei campiote declaration and 
OGD SOGB questions 


Traveller | 


(2. Electronically capture — //3.Generste Kiosk request ^Y — /4. Open ec 4 / 8b. Kiosk receives 
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Traveller data elements collected through PIK and to be shared with StatCan: 


First Name Purpose of trip (foreign nationals only) 

Last Name Duration of stay (visitors) 

Language selected Duration of absence from Canada (residents): 
Document type -24 Hours or less 

DOB -More than 24 hours but less than 48 hours 
Citizenship -More than 48 hours but less than 7 days 
Gender -7 days or more 

Province / State / Country Arriving by 

Airline Code/Conveyance number Arriving from 

Crew Y/N Number of people in session 
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4.2 Data Flow Model - Table 
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| The individual ora a representative | Traveller 
CBSA ration Holdings CBSA Information holdings such as: 
+ integrated Customs System (ICS): A common platform for 


| 

| 

| managing authorized and authenticated access to the 
CBSA systems: 
: o PIK Service - that handles the orchestration 


and coordination of primary processing for 
each traveller using the self-service Kiosk 
option. 
© Secondary Processing and Passage History 
(SPPH) to store traveller encounters, including 
| declaration data, referral codes, and 
| examination results. 

o Passenger Information System (PAXIS) to retrieve — | 
passenger and flight information through the | 
Advance Passenger Information (API) — CBSA PPU | 
008. | 

Integrated Custom Enforcement System (ICES) — CBSA PPU | 
016. Data from the following programs is accessed through | 
ICES: 
o Criminal Investigation Program — CBSA PPU 1402; and 
o Intelligence Program — CBSA PPU 035. 
Interdiction and Border Alert System (IBAS). Data from the 
following programs/systems is retrieved through IBAS: 
o Immigration Investigations Program — CBSA PPU 1403 | 
o Enforcement Information Index System (EIIS) — | 

CBSA PPU 025 
o Document Integrity Program — CBSA PPU 1404 

The Lost Stolen Fraudulent Document (LSFD). | 
| *immigration related data is retrieved from Global Case | 
las Management System (GCMS) through IBAS. 


Royal Canadian Mounted Police foret. | A subset of Wants and Warrants from Canadian Police 


| Holdings 


4.3 Internal Use and Disclosure 
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4.4 External Use and Disclosure 


| Statistics Ca nada, as per the terms of the current | ^ 
| Memorandum of Understanding and an Annex (being drafted), ! 
.] 
| 


|A federal government institution - 


supporting the sharing of information collected by the CBSA. 
| Disclosure authority under Section 107(5)(b) of the Customs 


| Public Health Agency of Canada, Traveller Illness Reports: — 
| PHAC PPU 071, as per existing information sharing 
agreements, upon request when required to support 

| national health and safety. Disclosure authority under 

| Section 107(4 )(e ) Or 107(5 )(b) of the Customs Act. 


| Employment and Social Development Canada, 
Employment Benefits, Support Measures and Other 
| Programs ESDC PPU 293. The data elements collected 
| through PIK to be shared with ESDC and the authorities 
are re being reviewed, 


on premon Se — —Á — H— Hess | 
| Non- federal institutions à and j private s sector | | 


- Provincial Gaveenment | No systematic disclosures: any i disclosures would be pursuant | 
| to Section 8(2) of the Privacy Act and/or Section 107 of the 


| Customs Act 
| "n Nau a Re ———— — 


ir n RAR RAR AR iii UENIUNT E CEE 


— sudes mme a en NI NI Dodo en ees 


No systematic disclosures any disclosures would be pursuant: 
i to 8(2) of the Privacy Act and/or Section 107 of the Customs | 
| Act n 


—— TD: BRIE A TT 


| - | Aboriginal Government £ Council |i No systematic disclosures; any disclosures would be pursdani | 
| | to 80 )o 2) of the | Privacy. Act and/or Section 107 of the Customs Act | 
| -  Oiganization óf a Foreign State |N No systematic disclosures: any disclosures would be pursuant l 
| | to 8(2) of the Privacy. Act and/or Section 107 of the Customs Act 


" 
No systematic disclosures: any disclosures would be pursuant | 
| to 8p ) 2) of the Privacy. Act and/or Section 107 of the: Customs Act | 


inh nan t nino? mie T PNE LAON EN E A MAE ARA AE TENTE EN EE 


- | Located in Canada and Canadian Owned None 


- Located in Canada and Foreign Owned | None 
| 5 | Located abroad and Canadian Owned 
MEE Located abroad and Foreign Owned | 
EE ss TER TR TEL EBENEN SE HK VE EE E NT RUN RE PAIE PRE EPST PA A a RP EE NM: 


Disclosure of the personal information collected is communicated in the privacy notice statement provided to users at 
the point of collection, either on the mobile device or at the kiosk, which mirrors the CBSA's existing processes for 
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information collected via the E311. While risks inherent in the other organizations cannot be mitigated by the CBSA, it 
is possible that the CBSA can influence the transparency of the process. 


The following section examines privacy compliance (at a high level) for the transparency of the disclosure of 
information to StatCan, as included in this initiative. The disclosure of information to any other government 
departments, per existing agreements, is not further explored in this PIA, as there are no changes to the established 
processes. 
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Statistics Canada 


The external disclosure of E311 information to StatCan enables the digitization of the information (by StatCan) and is 
used to validate the findings of their International Travel publication. Though 2015 demographic information is 
available online for manipulation, the last International Travel publication located on line is from 2010. In 2010, 
StatCan received and processed 18.3 million E311 traveller declaration cards. The information used to populate the 
report is collected via a questionnaire handed out to travellers, then validated by the information captured in the E311. 
The survey results may be impacted by two types of bias: distribution bias could result if only specific types of people 
are given questionnaires and non-response bias could result if only specific types of people actually respond to the 
questionnaire. In order to improve the accuracy of the data, StatCan pulls a sample of the E311 cards, filled in by the 
responsive travellers. Questionnaire responses for trip purpose and duration of trip are compared to the responses 
received on the questionnaire.’ 


The collection, digitization and use of the information are not clearly reflected in an institution-specific Personal 
information Bank, published in Info Source by StatCan. Discussions with StatCan privacy personnel iterate that the 
information is not used to make any administrative decisions that directly affect the individual and is not stored ina 
manner that would make the information realistically retrievable, in the event of a request for access. While the 
individual's information could be located within the digital records, it would not be likely that the information could be 
reasonably located within the almost 20 million records. 


For this reason, StatCan represents the collection in Classes of Records: Tourism Statistics (StatCan ETC 180) and 
represents the process of collection / digitization in a high level description, “5.4) Cost-recovered Services related to 
Statistical Infrastructure." 


Within the published report, there are references to the use of the CBSA E311 card. There are, however, no 
transparent references to the collection and use of the E311 card communicated to the public in the StatCan 
information holdings. 


There is a Memorandum of Understanding in place between the CBSA and StatCan, which includes the personal 
information collected through traveller processing. In digitizing the print records, StatCan required access to the entire 
E311 document. With PIK, the records will be digital at the point of collection, so StatCan will not be required to scan 

-© the E311 cards. They will, however, continue to complete some statistical analysis on the data for the CBSA. As part of. 
the PIK initiative, a review of the existing information sharing practices and personal information elements required for 
both traveller processing and statistical analysis was conducted. In doing so, the CBSA validated the data to be shared 
and has confirmed that only the elements required will be disclosed. Section 107(5)(b) of the Customs Act provides the 
authority for the disclosure. An Annex to the current Memorandum of Understanding with StatCan is being drafted to 
reflect the data to be shared and transmission process. 


through PIK to be shared with StatCan). 


^ Statistics Canada Report, international Travel 2010, page 58. 
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4.5 Retention / Storage 


Du eR: Pre ner F — 


| Canada Border Services Agency- - Files are — fors seven years from the date of the traveller" S | 
| 


Integrated Customs System (ICS), | entry to Canada, as identified by the traveller's passage time, | 
Passage History database | recorded at the kiosk. This reflects existing retention periods for 
| traveller processing. After this period, the records are destroyed. 

| 

| | No personal data is retained by the kiosk. Data collected during the 

traveller processing is erased from the kiosk in a way to make it | 

irretrievable on completion of the traveller s passage event. B 
4.6 Other Possible Considerations 
pU mcs Ped Parmele area ai ees "—— e—a NONE CP NM ore m 
| Identify Groups or Areas Jo or r Divisions Positions who Halve ai access or use the | Geographical Location : 
| | personal information (where appropriate) | | | 
E T NRI AEE ee ete Ca ANA al Ai ERR DR tenes ge ou diurna Nd em E drame msn nn ÉRIC | 
[: The CBSA responsible for program or activity: | 
| —— iba ann i iA RR ees ——————— AM €————— ORI J————— RÀ 

| Traveller Transformation Directorate - [A Approximately 25- 50 staff members | | National Capital Region | 

Information, Science ana | Approximately 20- 25 staff members ir in National Capital Region | 

| Technology Directorate _ a production support role, responsible | 
| | for receiving incidents and requests 
| | from end-users, analyzing these and | 
| either responding to the end user 
| | with a solution or escalating it to the | - 
| | other IT teams. These teams may | | 
| include developers, system engineers | 
| _and database administrators handling | 
| _system i issues EN | 
rn Border Operations Directorate | Approximately 1750 staff member (dm Top t tën Canadian airports — — 
| including Border Services Officers, | Toronto, Ottawa, Vancouver, | 
| | interns/students, Superintendents, | Calgary, Edmonton, Winnipeg, | 
| | Chiefs of Operations Montreal, Halifax, Billy Bishop | 
| | | | 
| " | and Quebec City | 
| Recourse: Directorate | Approximately js. 30 staff members National Capital Region and 
| | handling recourse and appeals | Regional Offices 
= -. — md cn ad DRE IOTER ONIS AM ein 
| ot Other federal government Institution ens for program or activity: 
| | Statistics Canada | StatCan estimates access is limited t to | Ns National Capital Region 
| 50 staff members, including scanning | 
| clerks and statisticians 
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RR uu M e ud aed "— NN | 
| Has a legal authority been identified for the collection of personal information for this program or activity? 
Yes | 
1.1 [X] Specify the legal authority and briefly explain its connection to the program or activity or how it | 
permits the collection of the personal information: 
Legal authority f for the collection of personal information via the print E311 and through the | 
| automated primary inspection process facilitated through the PIKs is derived from multiple, | 
| inter-related legislations and regulations. D C | | 
o Information required for the regulation of goods (import/export) i is derived from one | | 
legislation and supporti ng regulations. 1) Section 12 of the Customs Act, which states, | | 
M "all goods that are imported shall, except in such circumstances and subjectto such | | 
| : conditions as may be prescribed, be reported at the nearest customs office designated 
- for that purpose that is open for business.” And 2 ection 5(3) of the Reporting of 2 
| Imported Goods Regulations, which states, “Goods that are imported by a person | | 
be arriving in Canada on board a commercial passenge €c nvevance other than a bus shall | 
| be reported i in writing." 2 | | | 
| [o Information required from individuals as they request entry into Canada is derived from | | 
| two legislations. 1) Section 11 of the Customs Act, which states, “every person arriving | | 
| . inCanada shall, except in such circumstances and subject to such conditions as may be | 
: prescribed, enter Canada only at a customs office designated for that purpose that is | | 
| open for business and without delay present himself or herself to an officer and answer | 
2 truthfully any questions asked by the officer in the performance of his or her duties - 
| . under this or any other Act of Parliament." And 2) Section 18(1) of the Immigration and | | 
| Refugee Protection Act which states, “Every person seeking to enter Canada must | 
| appear for an examination to determine whether that person has a right to enter 
Canada or is or may become authorized to enter and remain in Canada." 
| | In addition to these specific legal authorities, information i is also collected under the | 
| Proceeds of Crime (Money Laundering) and Terrorist Financing Act, as well as associated | 
| regulations made thereunder such as the Cross-border Currency and Monetary 
| Instruments Reporting Regulations. Subsection 12(1) of the Proceeds of Crime (Money 


Laundering) and Terrorist Financing Act states, ‘ “every person or entity referred to in 
subsection (3 (3 ) shall report to an officer, in accordance with the regulations, the 
| importation or exportation of currency or monetary instruments of a value equal to or 
greater than the prescribed amount." : 
| 
| 
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| any instrument made under: it, or rany part of such an Act or r instrument, | C Ü 
_ (a) that the Governor in Council or Parliament authorizes the Minister, the Agency, the | 
| President or an employee of the Agency to administer and enforce, including the | 
| .. Customs Act, the Customs Tariff, the Excise Act, the Excise Act, 2001, the Immigration | 
| . and Refugee Protection Act and the Special Import Measures Act; | 
| (b) that the Governor in Council or Parliament authorizes the Minister, the Agency, the | 
|o President or an employee of the Agency to enforce, including the Agriculture and Agri- | 
| | Food Administrative Monetary Penalties Act, the Canada Agricultural Products Act, the | 
Feeds Act, the Fertilizers Act, the Fish Inspection Act, the Health of Animals Act, the | 
| | . Meat Inspection Act, the Plant Protection Act and the Seeds Act; : | 
i | ; 
| P (c) under which the Minister or another minister authorizes the Agency, the President 
| or an employee of the Agency to administer a program or carry out an activity; or 
| | (d) under which duties or taxes collected and paid pursuant to the Customs Act are | 
MEE imposed." x | 
| 1.3 [Xx] Is the Perana information collected directly related to an operating program or activity? 
| | Details: the information collected has been cross-referenced with the purpose of collection. 
eee o Um s Wa uu cu uu I  Iuacxcl. I ul,T-- 1 
| No 
| 1.3 If there is no legal authority for the collection of personal information, it cannot be collected. Please 
| consult your legal advisor to determine if there is authority to proceed with the program or activity. 
z 2. Necessity to Collect Personal Information | 
» Is each element and sub-element of personal information collected or to be collected necessary to 
| administer the program or activity? 


YES 


[X] Ensure that all personal information necessary to administer the program or activity is listed in the 
relevant PIB. 


Zä 


AR nr 


2.2 [X] AND, implement controls and procedures to ensure the CBSA does not collect more personal | 
information than is necessary for the identified program or activity and that a continuing need exists | 
for that information or its collection. 

| 
: 


1 
i 
i 
1 
1 
$ 
1 
E 
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7 


The use oos information for enforcement (if required) internal to the CBSA and disclosures to other 
| government departments such as StatCan would be considered secondary uses. These uses are documented 
in the Personal Information Bank and notice is provided to the individual at the point of collection. 


| 
| 2.3.2 If not, is there authority for the use or disclosure of the personal information? 
| 
ves | ]NO 

= 
| 2.3 | | Review the proposed elements and sub-elements of personal information outlined in “Section 3 ~ 
Analysis of Personal information Elements” to identify those that are “necessary” and not merely 


| useful. _Document any changes. 


3. 3. Authority for the the Collection, Use or Disclosure of the Social Insurance Number 


L the collection of the Social insurance Number (SIN) necessary to administer the program or activity? 


3.1 | | Collection of the SIN must be in com pliance with the Directive on Social Insurance Number (please 
| check all appropriate boxes below): 
| 


3.2 d: Slate legal authority for collecting the SIN: 


Len RA RS ee FORMAT MUR — ses LA ARMAR ARRA RES rn TE PER ERRARE ARRA NANNY Mn MMC ERREUR RR, 


OR, i in n the absence of a Tegal authority to collect the S SIN: 
3.3 | | Establish explicit authority through legislative amendments). 


3.4 | ] Establish legal authority as outlined in the Directive on Social Insurance Number. 
AND, if disclosure of the SIN by the CBSA is to occur on a routine or systematic basis 


| 
| 
| | 
| 
| 

3.4.1 [ | to another federal institution that is authorized to collect it, or to another level of government, 

establish an agreement or arrangement that includes specific provisions to limit the use of the 

SIN. 
3.4.2 [ ] to a contractor or other external service provider, establish a contract that includes specific 

provisions to limit the use of the SIN. | 
| 
| 


a 5 | ] AND, ensure that the relevant PIB for the program or activity states the authority under which the 
SIN is collected and the purpose for which it is used. 


= 
3.6 [X] The SIN is not necessary and it will not be collected, used or disclosed to administer the program or 
| activity. 
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Is personal information collected directly from the individual to whom it relates? my 
YES | 
4.1 A "Privacy Notice" (adapted for either verbal or written communications) must be provided to the 
individual at the time of collection and it must include the following elements: 
a) The purpose and authority for the collection 
b) Any uses or disclosures that are consistent with the original purpose. 
c) Any uses or disclosures that are not related to the original purpose 
d) Any legal or administrative consequences for refusing to provide the personal information 
e) That the "individual to whom the information relates" has rights of access to, correction of and 
protection of personal information under the Privacy Act. 
f) A reference to the PIB for the program or activity 
g) Why the SIN is collected, how it will be used and the consequence of not providing it. 


| AND, add a “Consent Statement” to the “Privacy Notice” as appropriate, if the personal information is to | 

| be used or disclosed for a purpose other than the original purpose (Secondary Use) or a consistent use, 

| or, to authorize indirect collection of personal information. 

| 4.2 [ ] The “Consent Statement" must include the following elements: 

| a) The purpose of the consent and the specific personal information involved. 

| b) In the case of indirect collections, the sources that will be asked to provide the information. 

| (This element need only be included when personal information is to be collected from another 
source e.g., person or organization with the consent of the individual) 

| c) Uses and disclosures that are not consistent with the original purpose of the collection and for 

| which consent is being sought. 

| (This element need only be included when the individual's consent is sought for a secondary use or 

| disclosure that is not consistent with the original purpose for which the information is collected. To 
find out if the individual's consent is necessary for such a use or disclosure, please consult the ATI 

and Privacy Division) 

| d) Any consequences that may result from withholding consent. 

| e) Any alternatives to providing consent 


| 4.3 [ | AND, implement controls and procedures to ensure that the CBSA keeps a record documenting 

| whether or not an individual provided consent when it was sought, including a record documenting 
| any withdrawal of consent when applicable. 

| **Ensure to provide the "controls and procedures" as an annex to this PIA** 


| 

| Additional Consent Considerations (s. 77(1)(m) of the Privacy Act): | 

| [ ] Standards and mechanisms are in place to ensure that the individual has capacity to give 
consent. | 

| ** Ensure to provide the "standards and mechanisms" as an annex to this PIA** | 


| There will be a Privacy Notice Statement on kiosk and the eDeclaration app, which all travellers will be 
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| to the Office df the Privacy done Additionally, the CBSA has Ro patates OPC iedbad | 
concerning the E311 and ABC Privacy Notice Statement. The Privacy Notice Statements for the kiosk and | 
the eDeclaration mobile app were drafted to ensure they are clear and complete. 


sk covers the disclosure of information while using the kiosk 
covers the disclosure of 


The Privacy Notice Statement for the kio 


| only (see Annex B for full text). The Privacy Notice Statement for the a 
| 
| 
| 
| 
| 
| 


information while using the app and the kiosk (see Annex C for full text). 


NO 
| 44 | | The personal information necessary for the program or activity is not collected directly from the 
individual. it is collected indirectly, for example, from another program within the CBSA, or from 
another institution, government or third party. 


i "M ————— E RE S 
| 5.| Indirect Collection - -Consent or Authority under Sec. 10 of Privacy Regulations 
ee Ru RS DEN ROT PEN MERE ER IMPER MR aol A EEE EEA EEA AEE IREEN A AE dune 


| 
| Is personal information collected indirectly from another source with the informed consent of the individual | 
| to whom it Pea or from a person authorized to act on behalf of the individual pursuant to section 10 of 


YES 


5.1 [_] The notice and consent requirements stated at Question 4 apply. Please provide the "Privacy Notice" | 

and/or "Consent Statement" below: - 
**For a copy of the CBSA Privacy Notice and Consent Statement template, contact the ATI and 
Privacy Division** | 
5.2 | |] AND, implement controls and procedures to ensure the CBSA keeps a record documenting whether 


| or not an individual provided consent when it was sought, including a record documenting any | 

withdrawal of consent when applicable. : 

| **Ensure to provide the “controls and procedures” as an annex to this PIA** | 

| 5.3 [ | AND, if information is being collected from persons authorized to act on behalf of minors, | 

| incompetents or individuals who have been deceased for less than 20 years, implement appropriate 
mechanisms to ensure that such persons are authorized to act on behalf of individuals who do not 

: have the capacity to provide consent. 

| **Ensure to provide the “mechanisms” as an annex to this PIA** 

| 

| NO | 

(54 | 

| 

| The information collected via PIK is collected directly. While up to five individuals can declare via one 

| kiosk session, each person is required to review and confirm the validity of the information provided. 
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‘6 6. Indirect Collection - Without Notification and Consent 


| Is personal information collected from another source without notice to or consent from the individual to 
| whom the information relates? 

| YES 

| 6.1 | | Where information is collected indirectly under any of the following circumstances without notice to, 
or consent from, the individual to whom it relates, please check the applicable boxes and explain as 
requested: 


i 
f 
f 
| 


| a) The collection is a result of a disclosure to the CBSA under subsection 8(2) of the Privacy Act. 
| State the applicable paragraph(s ) of subsection 80) and provide a a brief explanation for each: 
| | Details: (This information is mandatory) | | 
oo OO a — g 
[ |b) Direct notification of the individual might result i in the collection of inaccurate information, or 
might defeat the purpose or prejudice the use for which the information is collected. Briefly | 
| explain why notice is not provided: (For example, certain kinds of lawful investigation might | 
| be jeopardized if the investigators were required to notify the individuals who were the 
| subjects of the investigations before collecting information ROBE from. other. Sources. ) 
| | Details: ( This information is mandatory) | | 
| diu | 0 eee C aO o du s | 
| | |c) The information involved I in nthe program or activity i is ; to be used solely for a non- 
administrative purpose in which no decisions are made about the individuals to whom the 
information relates. (This includes research, statistical, audit or evaluation purposes.) 
6.2 [| ] AND, if any of the circumstances in a) b) or c) is applicable, ensure that it is reflected in the relevant j 
| PIB. | 
| 6.3 [ ] AND, if the information is to be used solely for a non-administrative purpose (box c above hasbeen | 
| checked), ensure that the requirements under sections 6.3.2 and 6.3.3 of the Directive on Privacy | 
| Impact Assessment have been met, and that the decision of the official responsible for section 10 of | 
| the Privacy Act to proceed with a CBSA PIA for the program or activity has been adequately | 
| documented in the description of the program or activity in "Section 1 - Overview and PIA Initiation" | 
of the CBSA PIA. | 
| 6.4 | | OR, if none of the circumstances in a) b) or c) is applicable, then the personal information must be 
| collected directly from the individual, or indirectly with the consent of the individual. Please review 
| the pene to Ghestions 4 and 5 and ensure that the “Privacy Notice" or the "Consent 
i 
| NO | 
6.5 [X] All personal information is collected directly from the individual to whom it relates, or from another | 
source with notice to, or consent from, the individual or a person authorized to act on behalf of the | 
individual (see Questions 4 and 5 above). | 
| The information collected via PIK is collected directly. While up to five individuals can declare via one 
| kiosk session, each person is required to review and confirm the validity of the information provided. 
i E 
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17 7. Retention and Disposal of Personal Information | 

Has Library and Archives Canada approved a records retention and disposal schedule that applies to the 


| personali information? 


YES | 

| 7.1 [X] Please identify the Record Disposition Authority (RDA) and describe the retention and disposal | 
schedule: | 

- 72 AND, implement controls and procedures to ensure that personal information used to make a 
decision that directly affects an individual will be retained for a minimum of two years after the last | 
administrative action or, where a request for access to the information has been received, until such 

: time as the individual has had the opportunity to exercise all his/her rights under the Act. 

| 7.3 | ] AND, if the CBSA intends to dispose of personal information that has been used for an administrative 

| purpose prior to the expiration of the two-year minimum retention standard established by the 

| Privacy Regulations, it must obtain the consent of the individual to whom the information relates 

before doing so. 
7.4 D| AND, the CBSA must cite the RDA number, the retention period and the disposition standards for the 
personal information in the relevant PIB. 


PIPER E —á———— 


2 


rough the s Library and Archives Records Disposition Authüritiés Control System. While the terms ee 
| conditions list only the Customs Branch of the Canada Customs and Revenue Agency, the authorization 
portion of the RDA listing includes records collected or held by the CBSA. 


The RDA terms and conditions are generic in nature, requesting only that records that are considered to have | 


_ archival value be transferred to LAC and enable the CBSA to set the required retention period and related 
| destruction for records that are not archival in nature. | | 


| 
| The retention standards listed in the Traveller Declaration card PIB reads, “Files are retained for seven years | | 
| from the date stamped on the traveller’s declaration card (date of interview between the traveller and the _ 

| border services officer or the date stamped on the traveller receipt when the traveller uses the Automated - 


Border Clearance or NEXUS kiosk). After this period, the records are destroyed. 


| The retention period for information collected via PIK will be aligned with the retention period for the E311 
| (i.e., seven years). 


For the longer term, the CBSA should look into the possibility of internal alignment among CBSA programs or | 
| services that collect traveller history information. For example, Traveller Processing and Entry/Exit initiative. | 
Traveller Processing records (entry) are currently held for seven years, consistent with the current - 
| Declaration cards retention standard, while retention period for Entry/Exit initiative (exit records) is 15 years 
| past the point of collection. 
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| NO 
| 7.5 |. [| Provide a Records Disposition Submission to Library and Archives Canada describing the records 
| containing the personal information for which the institution requires a RDA. 
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[s ioe o de that no longer have operational utility for the Gers or activity: 
pe 7.7 | | AND, ensure that all the other applicable requirements listed under "YES" at Question 7 are met. 
a 
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| 
L Accuracy of Personal Information | | 


_ Will measures be adopted to ensure that personal information used by the CBSA for an administrative 
purpose is as accurate, up-to-date and complete as possible? 


| YES 


| 8.1 Please check any of the following measures that will be adopted to ensure accuracy of the personal 

| information and provide details as requested: 

| 8.1.1 [X] Personal information will be collected directly from the individual to whom it relates or it will be 
| validated with the individual or a person authorized to act on behalf of the individual. 

| 812 A data-matching process will be used to verify the accuracy of personal information against a 


| "reliable source" (within or outside the CBSA) where this is authorized, or where consent was 
| obtained. 

| trusted sources publie. or e and verity accuracy V against Fins Seana information 

| before use. 


[X] Technological methods will be used to identify errors and discrepancies. 


. 8.1.4 
| 8.1.5 [ ] Other 

| 8.2 AND, if measures are adopted other than "direct collection or validation with the individual or with a 
| person authorized to act on behalf of the individual", the CBSA must implement appropriate controls 
and procedures to ensure that: 

| a) the technique(s) and the specific source(s) used to validate or update the personal information 

| are documented; 


| b) individuals are given the opportunity, whenever possible, to request correction of any inaccurate 
personal information before the information is used in a decision-making process that affects 

: them; 

| c) personal information can only be modified or corrected by those within the CBSA who have the 

authority to do so; 

| d) when personal information is corrected or annotated, the record of personal information 

| indicates the date of the last correction or annotation and the source of the information used to | 

| make the correction or annotation; and | 


| 
d) when personal information is corrected or annotated, other authorized holders of the | 
information are notified about the correction or annotation and that all copies of the information | 


| 


in the possession of the CBSA are corrected / annotated. 


| are amended to identify the dave: matching activity including t the  source(s). 
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information holdings, such as: Customs Enforcement System (ICES) and Interdiction and Border Alerting 
System (IBAS). This process includes MRZ, PKD and ePassport chip validation to identify discrepancies. 
Discrepancies may result in a referral to secondary processing. No information is collected directly through 
| the app, all data is transferred to the kiosk for review and confirmation. PIK will assess the information | 
|» provided by the traveller and, if discrepancies are noted in CBSA information holding, the individual may be | 
referred to secondary processing. This is an electronic process. Additionally, travellers using the app will be | 
provided with an editable summary of their declaration, for review and confirmation at the kiosk. 


Details: Personal information collected — the PIK will be verified througirg querying existing CBSA 


— 


= 
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| Will the personal information collected for the program or activity be used solely for the original purpose 
p for weich it was obtained or iai enr dd a use consistent with that purpose, à ora d purpose ai which the 


cna nio MEE! 


YES 
[X] Implement controls and procedures to ensure that access to the personal information for such 
- purposes will be limited to authorized individuals who need to know the information to perform their 


_ Official duties. 


teu an — ANA A ASA t ttt ———— ere ———————— 


renis 


E Information, ! Science and technology; Border C Operations; a and Recourse. Access t to the data systems is is 
|| defined by user profile. | v 
| | External to the CBSA, access to the information is limited to other government departments, such as 
| | StatCan, who require the information to fulfil their mandate and with whom the CBSA has an established. : 
| Memorandum of Understanding or information sharing agreement. On an ad-hoc basis, the CBSA receives 
requests from ESDC and PHAC, to provide declaration information to support program integrity and — | 


|| national health priorities. Access to the data by all parties would be pursuant to subsection 8(2) of the ! 
| Privacy Act. While information sharing agreements and Memorandums of Understanding are in place, they : 
| are dated; CBSA is reviewing each agreement to re-confirm the authorities for the collection of information. | 
| and t ens ire only the personal information elements Tequired a are e being shared. |; | | 
| 


are wies 


9.2 AND, ensure that the "Data Flow Diagram" or "Data Flow Tables" completed for "Section 4 — Flow of 
Personal information" of the CBSA PIA identify the areas, groups and individuals (e.g., the positions) 
within the CBSA who have a need-to-know to access to or handle the personal information, including | 
their geographical location and where the personal information will be stored or retained. 


À 
i 
1 i 
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" | 
H 
) | 
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| 
| surpass) the CBSA will adhere to the requirements and nriátiplesi in the CBSA Prlincy Protocol For "S 
| Non-Administrative Purposes (2012), in accordance with section 6.2.15 of the Policy on Privacy 
Protection, to address any impact that such non-administrative uses may have on privacy. | 
NO | 

| 9.4 [ ] Identify below any other uses of the personal information, in other words, any routine uses that are 
| not directly related to the purpose of the collection, or, which are not consistent with that purpose | 
| or for which the information was disclosed to the CBSA pursuant to subsection 8(2) of the Privacy | 
Act: | 
t Detail : (7 This information i is s mandatory) - : 2 | 

LS ils m e e O … x 


9(1 | 1) of the Crest Act, if these atheri uses are nat described | in the PIB i in  CBSA Info Bn ihe CBSA 
is required to record each use on the individual's file. Describing them in the PIB is, therefore, a far 
more efficient practice — see Question 11.) 
| 9.6 | ] AND, include a description of these other uses in the "Privacy Notice" or "Consent Statement", as 
| appropriate, 

| | AND, ensure the all the other applicable requirements listed under "YES" at Question 9 are met. 


rk 


| 10. Disclosures Directly Related t to the Administration of the Program c or r Activity 
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| Will personal information be disclosed for purposes directly related to the administration of the program or | 
| activity? 


YES | 
| 10.1 bX] d Please check all applicable boxes below and, for each disclosure, identify the name of the | 
organization or third party to which personal information will be disclosed. If it is disclosed within the | 
CBSA, please identity the branch and the iio late or bi 


| 


i 
1 
! 
i 
i 
1 


—— 


Hi 


purpose eof the collection}. information i is also used d internally for enforce meni ntelllgene, | if f required. | 
Enforcement / intelligence would relate tothe primary xin: of collection and would be considered | 
| a consistent. use. — | 


RO ROME 
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| 104. 2 a% o Other federal I government i institutions 


hey provide the service of : scanning the E311 print — 
| | Declaration e cards. At the same time, StatCan analyses the information providing valuable analytical data 
back to the CBSA. Aggregate forms of this data may be used by StatCan to inform their statistical travel 
| | reports, in support of traveller questionnaires. With PIK, the records will be digital at the point of 
| collection, so StatCan will not be required to: scan the E311 cards. Hs will, however, continue to 
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a 
| | processing. and statistical analysis w was : conducted. In doing 3 SO, the CBSA validated t the datat to be shared 
| and has confirmed that only the data elements required by StatCan to carry out their mandate related - 
E | to travel and tourism will be disclosed. Section 107(5)(b) of the Customs Act provides the authority for. | 
_ the disclosure. StatCan does not have a related Personal Information Bank, however, the collection may 


|| | be represented in the e Household Surveys Class of Personal Information. | 

+ | | 

|| information| is disclosed to Employment and Social D Development Canada (ESDC) — individuals that have | | 

BE been outside the country for more than six days and may be ineligible for residency-based programs | 

E | (such as Employment Insurance). The data elements collected through PIK to be shared with ESDC and | 

I the authorities are being reviewed to ensure only data elements that are required by EDSC to carry out 

| | their mandate and for which there is collection/disc! osure authority are shared. While the CBSA PIB 

| refers to the ESDC PIB Employment Benefits, Support Measures and Other Programs, consideration TE 

B | should be given to reflecting the ESDC PIB Employment Insurance Program Investigation PIB ESDC PPU | 

| | 171. | | 

| [ Lastly, in support of health questionnaires, information may be provided to the Public Health. Agency of | | 
| Canada on a case by case basis and upon request so that they may inform travellers who have travelled | | 

| in close proximity to a potentially contagious individual. Initial assessment information is collected by | 
PHAC in a process external to the PIK collection, however, traveller contact information. may be | | 

: | disclosed from the PIK information holdings. The PHAC PIB reference i is Traveler liness Reports, PHAC 

|| PPU 071. | 


10.1. a AB Foreign government institutions and entities thereof 


E =o 


| 

| | 

PEs E: | 

B Details: There are no systematic disclosures to foreign governments. however, i in athe event of criminal 
| activity, enforcement processes may require international collaboration. Any disclosures of personal | | 

| | information for this purpose would be in accordance with the disclosure provisions of section 80 ) 2) of | 


: the Privacy Act. 
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10. 1.5 [] »itertiatiónal. organizations 


|  10.1.6[ | The private sector (e.g., contractor or other external service provider) | 
| 
| 10.1.7 [_] Other 
| 10.2 DT AND, ensure that: | 
| a) any such disclosure is made in compliance with section 8 of the Privacy Act, which allows | 

disclosures of personal information with consent of the individual to whom the information 
| relates (subsection 8(1)) or without consent in certain and limited circumstances pursuant to 
| subsection 8(2) of the Act; | 
| b) only personal information elements that are necessary for the intended purpose are disclosed; — | 
| c) the organization or third party receiving the personal information is authorized to do SO; 
| d) administrative, physical and technical safeguards appropriate to the sensitivity of the information | 

will be applied to protect the information during and after its transmission (see Question 15); - 
e) the organization or third party to which the personal information will be disclosed for the | 
| administration of the program or activity are identified in the “Consistent Use" section in the | 
relevant PII PIB in CBSA Info Source, including the specific purpose ofthe > disclosure; | 
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f) the "Data Flow bare” or “Data Flow Tables" completed in “Section 4 — Flow of er 
information” of the CBSA PIA include details on the disclosed personal information: 


| 10.3 [x] AND, any disclosure of f personal Graton to another FEI institution or outside the 


| 

Understanding: an accord, a contractual arrangement etc.) to ensure that appropriate privacy 

| protection clauses are included, and, where applicable, include provisions for inter-jurisdictional or 
| transborder flows of personal information. Such clauses must cover the following topics: 


ACCESO eit ARIA HA 


a) Control over personal information, where appropriate. 

b) Limitations on the collection, retention, use and disclosure of personal information. 
| c) Measures (administrative, technical and physical) to protect the integrity and confidentiality of 
| personal information. 


| d) Measures governing the disposition of the personal information, where relevant | 
| e) Measures to ensure or verify that the personal information is only used for the purposes related | 
| to the agreement, arrangement or contract. 

f) Obligations are to be extended to other parties such as subcontractors. 
| 

z 

| 


mers A i RR AA AA PAPA EI UE FERE te ae EEUU aa RENE TERT 


Details: Airport Authorities: While there is no disclo osure eof personal information, a Service Level 


ority prior to deployment of PIK to provide structure and | 
and the Argo Authority, te to ensure the | 


| Agreement will be signed with each airport auth 
| | delineate obligations and control! mechanisms, for both the CBS 
| protection of personal information. D 


| Statistics Canada: While a Memorandum of U ndersta nding: exis ists wit khststCan, the MoU refers to data 
| collection of E311 declaration, not the collection of information the PIK p process. An Annex to the 


|| current MOU is being drafted and will delineate the data eleme s, process and requirements around the : | 
| 


| | | sharing of information with StatCan. Custody, control, retention and | disposition will be Clearly | 
| documented. | | : 


^ wo 
| 10.4 [ ] There is no disclosure of personal information within or outside the institution for purposes that are 
| directly related to the administration of the program or activity. 
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Will controls and procedures be implemented to account for an y new use or disclosure of the personal 
information that is not included in the relevant PIB published in CBSA info Source? 


YES 
11.1 Appropriate controls and procedures have been or will be implemented to ensure that: 

a) the head of the institution (The ATI and Privacy Director) or the appropriate delegate is notified 
about any new use or disclosure of personal information that is not reflected in the PIB 
description published in CBSA Info Source; | 

b) the consent of the individual to whom the information relates is obtained in writing, as | 

| appropriate, prior to any new use of the information for an administrative purpose that is not | 

| reflected in the relevant PIB published in CBSA info Source, unless the new use is considered to 

j be consistent with the purpose for which the personal information was obtained or compiled and 

the Privacy Commissioner is notified, by the CBSA ATI and Privacy Director, forthwith regarding 
the new consistent use; 

| c) except as permitted under subsection 8(2) of the Privacy Act, any disclosure of personal 

: information for a purpose that is not reflected in the relevant PIB published in CBSA Info Source 

| will only be made with the consent of the individual to whom the information relates; 

| d) a record is kept for any new use or disclosure of personal information not described in the 
relevant PIB published in CBSA Info Source, and that this record is stored with the personal 

information to which it relates and retained for a minimum period of two years following such a 

| use or disclosure; 

e) ifthe information is disclosed to a federal investigative body under paragraph 8(2)(e) of the 

Privacy Act, the record of disclosure will be kept in a separate PIB for a period of two years where 

| it will be available to the Privacy Commissioner for review upon request; 

j f) the Privacy Commissioner is notified, by the CBSA ATI and Privacy Director, forthwith, as required 

| under subsection 9(4) of the Act, of any new use or disclosure that is consistent with the purpose | 

i 

| 

| 

| 


for which the information was obtained or complied, but which is not reflected in the relevant 
PIB published in CBSA Info Source; | 

g) therelevant PIB is amended in time for the next edition of CBSA Info Source to include any new 
use(s) or disclosure(s) that are consistent with the purpose for which the information was 
obtained or compiled, as well as any routine use(s) or disclosure(s) that do not fall within the | 
categories of purpose of collection or consistent use: and | 


h) the Privacy Commissioner is notified, by the ATI and Privacy Director, prior to or forthwith, as 
| required under subsection 8(5) of the Act, about any disclosures made or to be made in the 
| public interest or in the interest of the individual to whom the information relates. 
| i) Other 
NO 


| | Detail: Provide adequate justification. 
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| 12. Safeguards - Statement of Sensitivity T 
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| Has a Statement of Sensitivity (SoS) or similar analysis been completed to assess the degree of sensitivity of | 
| the personal information to be collected and retained for the program or activity? 


YES 
12.1 X 
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The information contained in the SoS or similar analysis has been taken into account when assessing 
the level of risks to privacy in "Section 2 - Risk Area Identification and Categorization" of the CBSA 
PIA. 
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| 
| | mobile application The information collected by PIK was identified as Protected B, while the "c 
| information collected via the eDeclaration mobile application was identified as unclassified and non- | 
| sensitive. | . | 
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NO | 
| 12. 2 [| Please explain why a SoS or similar analysis was not considered necessa ry to assess the sensitivity of | 
the information. 


13. Safeguards - Threat and Risk Assessment | 
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| Has a Threat and Risk Assessment (TRA) or a similar security assessment been completed for the program or 
Los (Input to this section must be coordinated with and reviewed by CBSA —1T - Security Directorate) 


| 13.1 Mi Reference the title of the TRA or other security assessment in "Section 6 — -Supplementary 
Documents List” and provide | a brief ! synopsis of the assessment ii in n the Space below: 


Details : : | 
| | 
E | 
B wu d A a a U 


d 
«s | 


dTéciimitended | in iles assessment have heat implemented t to ensure the confidentiality, availability 


| and integrity of the personal information. | 
| 
a 13.3 [| AND, ensure that any residual risks to personal information are known and accepted by the - 
executive or senior official responsible for the program or activity and the Head or delegated 
authority for the Privacy Act. (ATI and Privacy Director) 
NO 


| 

| 

i 

| 13.4 [X] If a TRA or similar security assessment is underway, simply reference that fact in the space below and. 
| _indicate when it is dud to be com i asa if there i isno intent to pm one, please ditus 


Anime 


| m ST ——— —Á— n (— | 
| | 
| project document instead Jof a Threat and Risk Assessment RAV. A à Preliminary! Security ; Assessment | 
IF Report (PSAR) has been prepared for the PIK initiative. The Security Assessment Report, as per standard - | 

| 


project process, is reviewed and revised as the Project progresses and will be Pun Just b before 
| launch of the PIK initiative be 
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E 14. Safeguards - - Administrative, Physical and Technical | : 8 | 
p es Bo m m NODE M UD prec ox 2000 3 o 00 5 000 0o d 
Please identify below any administrative, physical and technical safeguards in place, or to be implemented, 

| for this program or activity to ensure the confi identiality, availability and integrity of the personal | 
| | information. | 
Please check all that apply, including safeguards identified by the TRA or similar security assessment. 

: 14.1 Administrative safeguards 
| [X] internal security and privacy policies and procedures | 
| Staff training on privacy and the protection of personal information 
| Screening and security checks of employees 
| [XI Appropriate security levels for employees who will have access to personal information | 
i Dx] Contingency plans and documented procedures in place to identify and respond to security and | 
| privacy breaches, and to communicate security violations to the data subject, law enforcement | 
| authorities and relevant program managers 

| Dx] Regular monitoring of users' security practices | 
2 x | Methods to ensure that only authorized personnel who need to know have access to personal | 


information 


Other | 
Detalls: A complete list of administrative safeguards is listed à in 1 the R413 E ystem- | | 
Requirements Specification and will be verified by the R413 Final Security Assessment ae 
| Report. || 
O o ë ë 
14.2 Pa safegua rds | 
X] Restricted access areas | 
copies guards | 
A Identification badges are worn by staff at all times 

After hours alarms and monitoring systems 
Locked filing cabinets | 
LX] Combination locks | 
Video surveillance (closed-circuit television) | 
Secured server locations | | 
XJ Backups secured off-site 
= tel 

| Details: A complete list of physical safeguards is is | listed i in the R413 System Requirements | 
| Specification a and will be verified by the R413 Final Security Assessment Report À | 


Canada Border Services Agency 
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| 14.3 Technical safeguards 
Role-based user authorization and authentication 


| Passwords (minimum of 6 characters long, include alpha and numeric characters) 
PX] Passwords are changed by users every 90 days and recently used passwords cannot be re-used) 
| Password protected screensavers 


| 
Session-time out security (automatically locks an account after a session has been idle for a 
| specified amount of time) | 
| [x] Firewalls | 
| Virtual Private Network (VPN) | 
| X Encryption of sensitive information 
| Government of Canada Public Key Infrastructure Certificates (PKI) 
[X] External Certificate Authority (CA) | 
| [x] Audit trails | 
| | 
| | 

| 

| 


bj Other 
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Im Details: A complete list of technical safeguards i is. listed i in nthe R413 System Requirements Specification | 
Le and will be verified byt the R413 Final Securi ity Assessment Repor 
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| Will the information system(s) used to deliver the program or activity employ cookies or other tracking 
| technologies to collect personal information about users and their transactions? 


Privacy of "Section 2 — Risk Area Identification and Categorization" of the CBSA PIA; ( 


| 15.1 FI The specific tracking technologies to be used is adequately described under Part 6: Technology and 
: 
| 15.2 m |. | AND, the collection of any personal information using such technologies is reflected in the relevant 


| 
| 
PIB and in "Section 3 — Analysis of Personal Information Elements" of the CBSA PIA; | 
ES 3L | L] AND, the use of such technologies to collect information about users and their transactions is 
adequately reflected in the "Privacy Notice"; | 
15.4 L| AND, those responsible for implementing and using tracking technologies to collect personal | 
| information or who may have access to personal information collected through these methods are 
| made aware of privacy and security policy requirements; 
| 155 [ AND, where personal information collected through such tracking technologies is used to make a 
: decision that directly affects the individual to whom the information relates, it will be retained fora | 
: minimum of two years after the last administrative action as required under the Privacy Regulations. | 
| | 


| 15.6 x S Tracking technologies are not used to collect personal information about users. | 
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| targeted population? 


| YES 
| 16.1 Consult with your legal advisors to determine whether or not such surveillance or monitoring 
| activities raise any issues relating to the Charter of Rights and Freedoms, the Privacy Act or other | 
: applicable acts. | 
16.2| ] And, ensure the surveillance or monitoring method(s) to be used, the cha racteristic(s) of the | 
| targeted population and the scope of the surveillance or monitoring are adequately described under | 
| Part 6: Technology and Privacy of "Section 2 — Risk Area Identification and Categorization" of the | 
| 1 
d 

| 


4 
| 
| Will the new or modified program or activity result in new or increased surveillance or monitoring of a 


CBSA PIA. 
16.3| | AND, any personal information collected or created as a result of such surveillance or monitoring is 
described in the relevant PIB and in Section 3 ~ Analysis of Personal Information Elements" of the 
| CBSA PIA. 
| 16.4 AND, the collection or use of personal information through surveillance or monitoring is adequately 
| reflected in the "Privacy Notice", unless such notification might result in the collection of inaccurate 
| information or defeat the purpose or prejudice the use for which the personal information is 


collected. 


| 16.5 [| AND, those responsible for implementing and using such surveillance or monitoring method(s) or 
| who may have access to personal information collected or created through these methods are made 
aware of privacy and security policy requirements. 


| 16.6 [X] The new or modified program or activity will not result in additional surveillance or monitoring. 


i 
i 
| 
| 
| 


| sanctions may be applicable? 
| 


YES 
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A [X] Consult with your legal advisors to determine whether or not the compliance/regulatory | 
investigation or law enforcement activities raise any issues relating to the Charter of Rights and 
Freedoms, the Privacy Act or other applicable acts. 


| 17.2 [X] AND, identify the legislative authority and the specific regulatory or law enforcement purpose 
| involved: 


/ bus shall be reported in witing” — 


. O Information required f from individuals as ol request PONE into. Canada i is s derived from two v : 
 legislations. person i ad 
except ir in su 


dn addition to these s specifi legal authorities, info rm 


instrument t made under it, or rany part of such s an Act or instrument, 


(a) that the Governor i in Council or Parliament authorizes the Minister, the Agency, the. | 
President oran employee ofthe Agency to administer and enforce, including the Customs Act, - | | 
e Custom Tariff, the £xcise Act, the £xcise Act, 2001, the Immigration and Refugee | 

ct and the Special Import Measures Act; 


that the Governor i in Council Or Parliament authorizes the Minister, the Agency, the 
or an employee of the Agency to enforce, including the Agriculture and Agri-Food 
itive Monetary Penalties Act, the Canada Agricultural Products Act, the Feeds Act, 
izers Act, the Fish Inspection Act, the Health of Animals Act, the Meat ge Act, 
the Plant Protection Act and the Seeds Act; 
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17.3 [] AND, if the legislative authority differs from the legal authority for the program or activity, ensure it jJ 
is adequately reflected in the response to Question 1 of “Section 5 — Privacy Compliance Analysis" | 
and in “Section 1 — Overview and PIA Initiation “of the CBSA PIA. | | 

| 


| 

17.4 [] AND, any personal information collected or created as a result of such regulatory or criminal 
enforcement, surveillance or intelligence gathering program or activity is described in the relevant 
F PIB and in "Section 3 — Analysis of Personal Information Elements" of the CBSA PIA. 

17.5 Dx] (| AND, the collection or use of personal information through these compliance / regulatory 
investigation or enforcement activities is adequately reflected in the "Privacy Notice", unless such 
notification might result in the collection of inaccurate information or defeat the purpose, or 
| 
| 


prejudice theu use, for which the personal information i is collected. 
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Details: Individuals a are e notified that the information | is collected “for the purposes of administering - s | 
P| 
| 


surveillance or intelligence gathering. 


| 
| | laws that enforce, prohibit, control or regulate the movement of persons, goods or currency into 

| | Canada." | | | | 
| | | If notice about the compliance/regulatory investigation or law enforcement activities will not be | 
provided. | 
NO | 
: | 17 6 L] The program or activity does not involve the conduct of regulatory or criminal enforcement, | 
i 
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This table summarizes the privacy risks identified through the PIA process, and categorizes levels of risk as low, 
moderate, or high. Risk is defined by factors of impact and likelihood of occurrence. The goal of privacy risk 
management is to maintain privacy risks within acceptable bounds. The higher ratings provide an indication of 
priority areas for implementing suggested risk mitigation mechanisms. Criteria for ranking are set as follows: 


(L)ow: There is a remote possibility that the risk will materialize and/or the im pact of the risk to the program is 
minor. 

(M)oderate: The possibility of the risk materializing is very low although the impact of such a risk is high, OR the 
possibility of the risk materializing is high but the impact of such a risk is minor, OR the impact and likelihood of the 
risk occurring are both determined to be moderate. 

(H)igh: There is a near certainty that the risk will materialize if no corrective measures are taken and/or the impact 
of the risk on the program is severe. 
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Conduct a review of the relevant 
| PIBs and consolidate as 
| appropriate. 


Necessity to Collect | Currently, there are several PIBs | 
Personal that reflect similar collection of 
Information personat information. 


Authority forthe | No risks identified. | | | 1 N/A 
Collection, Use or 
Disclosure of the 
Social Insurance 


| No risks identified. 


No risks identified. 


Notification and 
Consent 
Indirect Collection - 
Consent or 
Authority under 
Sec. 10 of Privacy 
Regulations 
Indirect Collection - 
Without 
Notification and 
Consent 


entified. 


No risks id 


No risks identified. 


| CBSA retention period for data 

| collected via traveller processing 
| varies by initiative, from 7 years 
| to 15 years. 


| CBSA to conduct a review of the 

| retention period for information 
| collected via traveller processing, 
and explore the possibility of 
aligning the traveller processing 
records for entry, which are | 
currently retained for seven years, | 
| with the retention period for 
Entry/Exit initiative (exit records), 
| which is set for 15 years retention 
past the point of collection. 


Disposal of 
Personal 
Information 


Accu racy of 
Personal 
Information 


| No risks identified. 
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| With the digital collection of X An Annex to the current MOU 


traveller declarations, there is 
the possibility of limiting the 

| information provided to StatCan 
to that expressly required as 

| well as providing the 
information electronically. 
Accordingly, the current 

| agreement with StatCan needs 
to be updated to reflect the 

| exact data shared, authorities, 
and the method of transmission 
| of the information. 


| Information sharing agreements 
which address the sharing of 
data with program delivery and 

| health partners are outdated, 
reflecting legacy collection 

| processes. - 


order Services Agency 


| with StatCan is being drafted to 


reflect the exact data to be 


| shared, authorities, and the 
| transmission process of the data. 


will be reviewed to confirm that 
the appropriate authorities, data 
elements and method of 
transmission are clearly 


| articulated. 
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Related to the 
Administration of 
the Program or 
Activity | 
Accounting for 
New Uses or 
Disclosures Not 
Reported in CBSA 
Info Source | 
Safeguards - 
Statement of 


| No risks identified. 


| No risks identified. 


Threat and Risk 
Assessment 


as per standard project process, 


| the PIK initiative. As a result, 

| should privacy risks be 

identified, it may be too late to 

adequately mitigate the risks 

| before implementation. 
Safeguards - 
Administrative, 
Physical and 


Privacy - Tracking 
Technologies _ 
Technology and 
Privacy - 
Surveillance or 
Monitoring 
Considerations 
Related to 
Compliance, 
Regulatory 
Investigation, 
Enforcement 


| The Security Assessment Report, | 


is finalized just before launch of | 


PIA 


A 


Raise the potential risks created 
by the timing of the SAR with the 
CBSA management responsible 
for Service Lifecycle Management 
Framework (SLMF). 
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General Privacy A PIA has not been conducted 
Compliance for traditional primary 
inspection by a BSO. As a result, 
| privacy risks of in-person 
| processing for travellers opting 
| not to use PIK are unknown. 


Generic Passage Flow (GPF) 

| Unified Passage (UPASS) initiative. 
This initiative will enable a unified 
| operational model with tightly 
integrated and standardized 
business processes, information 
and technology that are used 
throughout the border processing 
continuum and includes people, 
goods, or conveyances in all 

j modes, pre-border, at the border, 
post border, and applies to all 
CBSA programs. The project goal 
is to provide one process and one 
system for the traveller passage 
continuum. 
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SECTION 7 - SUPPLEMENTARY DOCUMENTS LIST 


Documents used or related to the CBSA PIA may include: 


e Automated Border Clearance Program (ABC) PIA Action Plan, March 2013 

e Addendum to the PIA for ABC (formerly EPIL), March 2009 

e Correspondence from the OPC, "Privacy Impact Assessment — Automated Border Clearance Program" dated 
May 11, 2015 

e Correspondence from the OPC, “Automated Border Clearance Pilot Project" dated June 23, 2011 

e Correspondence from CBSA to the OPC, dated February 22, 2013 

+ Air Traveller Transformation, Presentation to Corporate Reporting, Audit, Evaluation and Governance, 
February 12, 2016 

e Info Source, Canada Border Services Agency Chapter 

* Info Source, Employment and Social Development Chapter 

e Info Source, Public Health Agency of Canada Chapter 

e Info Source, Statistics Canada chapter 

e Information Sharing Agreement with Employment and Social Development Canada 

e International Travel Statistics (Memorandum of Understanding between the CBSA and Statistics Canada) 

e Modernization of Air Traveller Processing, Backgrounder for the Minister, dated November 2015 

e Privacy Impact Assessment, Electronic Primary inspection Line, September 2008 

e Privacy Impact Questionnaire, Primary Inspection Kiosk, dated October 2015 

e Service Level Agreement (between CBSA and Airport Authorities for the PIK Solution) 

e Statement of Sensitivity for the Primary Inspection Kiosk 

e Statement of Sensitivity for CanBorder eDeclaration Mobile Application 

* Preliminary Security Risk Assessment 

e Security Risk Assessment 
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| The following signature represents a 
commitment to comply with sections 4 to 8 of 
the Privacy Act and the related privacy policy 
requirements outlined in the CBSA PIA as they 
dministration of the identified 


E 
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Note: Responsibility for sections 4 to 8 of the Privacy 
Act rests with all employees of government 
institutions that handle personal information. Officials 
| who manage such programs and activities are 

responsible for ensuring that such requirements are 
implemented as part of the administration of the 
program or activity. 
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The following signature represents a commitment 
by the Head of the institution or his/her 
delegate(s) who is responsible for establishing 
personal information banks in accordance with 
section 10 of the Privacy Act. 


` ore nt P ir meanest 
pE cree - 


ros SS sees 


Dan Proulx, Director, Access to Information and 
Privacy Division 


FEB 1 7 2017 


Date 


Note: Under the Privacy Act, the Head or his/her 
delegate(s) is responsible for complying with legal and — 
relevant privacy policy requirements related to the | 
approval and registration of personal information 
banks 
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Privacy Compliance - Action required to support legal and policy compliance . Done To be | 
Analysis question # (cross reference to relevant question of Section 5 — Privacy done | 
- Com ipliance Analysis) 


1 . Legal authority for the program or activity has Kesh established and x E 
_is reflected in the relevant PIB. | 
2 . 8) The categories and elements of personal information to be 
. . collected for the new program or activity have been carefully 
assessed based, for example, on the CBSA's experience gained "M: El 
with the administration of a similar program or activity. The 
personal data collected will be limited to only that which is 


equired. Xm n 
ies BR D 


_b) Categories and elements of personal information have been 

.. described in the relevant PIB for the program or activity. 

. C) Controls and procedures will be implemented to ensure the CBSA - 
does not collect more personal information than necessary for | 
the program or activity and that a continuing need exists for the 
personal information and its collection. 


4and 5 _a) All of the requisite “Privacy Notices” and “Consent Statements” 
that meet the requirements of sections 6.2.9 to 6.2.12 of the |... K [J 


Directive on Privacy Practices have been drafted. (Texts of the 
notices and consent statements must be included as an annex.) 

. b) Controls and procedures have been implemented to keep 
records of individual consents, and to ensure that persons acting 
on behalf of individuals who do not have the capacity to provide 
consent have the authority to do so under section 10 of the 

| Privacy Regulations. 


7 a) A Records Disposal oe (RDA) has been ed by : 2 
Library and Archives Canada to authorize the disposal of the 5D] 
records containing personal information for the program. | 
b) Controls and procedures have been implemented within the | a 

program or activity and the CBSA ATI and Privacy Division to - 
ensure that information that has been used for an 
administrative purpose will be kept for the minimum retention ey a 
| period established by the Privacy Regulations. | | 
c) Reference to the RDA, the retention period and the disposition 
| standards for the program have been cited i in the relevant PIB. 


8 Controls and procedures are in the process of belig implemented to 
ensure that the personal information associated with the program is - D] | LI] 
as accurate, complete and up-to-date as necessary. : 


Canada E Border Services Agency 
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Privacy Compliance _ Action required to support legal and policy compliance Done To be | 
Analysis question # (cross reference to relevant question of Section 5 — Privacy | [dune 

Compliance Analysis) | 


Other Privacy Considerations related to — principles that are not "— in the previous 17 sections: 
(these considerations should be explored in the Executive Summary) 


Openness Describe how the results of any privacy impact assessment or audit & n 
. Will be made available to the public. The Executive Summary will be 

published on the external CBSA ATI and Privacy Division website at 

- http://www.cbsa-asfc.gc.ca/agency- -agence/reports-rapports/pia- 

- efvp/atip- aiprp/pias- -sefp-eng.html 


Are policies and practices relating to the proposal's management P] | 
and handling of personal information available to the public? 


Is there a communications plan to explain to the public how x [] 


personal information will be managed and protected? 


_Is there a clearly defined " easy process for individuals to access Dd _ 
-such information and/or communicate with appropriate individuals _ : 
with respect to policies and practices relating to management and 

: protection of personal information? 


| Where appropriate, will public corisultationt take —- on the O X | Bil 
| privacy implications of the proposal? : 


Individual’s Access _ Is the system designed to ensure that an individual can T access 
to to his/her personal information, including all other programs or | 


| : ; Ir i NS that " - i > | ELIT A nati de 1^ \ 
Personal information applications that have received copies of the information? s. 12(1) 


Are there documented procedures developed or planned on how to OAN 
make privacy requests or requests for the correction of personal | 
| information? s. 12 (2) 


Are individuals — with access to their i persoriál information 
dn the official language of their choice? S. - 17(2) 


* 
CL] 


x 


| Pannen. are individuals provided with access to their personal - 
information i in an alternative format? E 176) 


Challenging . Are the complaint procedures for the — program or service e Ll 
Compliance . consistent with legislated requirements? s. 29-35 


To improve information management practices and standards, has 
|. a procedure been established to log and periodically review the 
nature, frequency and resolution of complaints? 
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Privacy Compliance 
Analysis question # 


PIA 


Action required to support legal and policy compliance Done 
(cross reference to relevant question of Section 5 — Privacy | 
Compliance Analysis) 


. Are there oversight and review mechanisms implemented or DS 
available to ensure accountability? 


- Have oversight agencies, including the Office of the Privacy x 
. Commissioner, issued reports or opinions on issues that would be 
_ relevant to the proposal? 


e 
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Privacy Statement — Primary Inspection Kiosk 


The information that you are providing at the Primary Inspection Kiosk is collected under the 
authority of Section 12 of the Customs Act, Subsection 5(3), Reporting of Imported Goods 
Regulations, the Customs Tariff, the Immigration and Refugee Protection Act and/or the 
Proceeds of Crime (Money Laundering) and Terrorist Financing Act for the purposes of 
administering laws that enforce, prohibit, control or regulate the movement of persons, goods 
or currency into Canada. This includes facilitating compliance with reporting obligations under 
this legislation and the collection of duties and taxes owing on goods imported into Canada. 


Failure to provide/complete all the requested information will result in your referral to a Border 
Services Officer for in-person processing. 


This information may be used in support of ongoing CBSA investigation or enforcement 
activities. This information may also be disclosed to: 
e Other government departments and agencies, police forces and other countries to 
administer laws that prohibit, control and regulate the importations of goods; 
e Other government departments, such as Statistics Canada, the Public Health Agency of 
Canada, and Employment and Social Development Canada and for the purpose of statistical 
reporting public health and program integrity. 


Your photograph will be taken for the purposes of administration and/or enforcement of the 
Customs Act or Immigration and Refugee Protection Act and may also be used for the 
administration or enforcement of other legislation or regulations administered or enforced by 
the CBSA. It will also be retained in accordance with the Privacy Act. 


Individuals have the right of access to and/or can request corrections of their personal 
information under the Privacy Act. The information is described within Info Source, Traveller 
Declaration cards Personal Information Bank CBSA PPU 018 at gui : 


sfc.g | | | -aiprp, u e.html. Should you 
have concerns s about the CBSA’s handling of your personal infürmation: you have a right to file a 
complaint with the Privacy Commissioner of Canada. 
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Privacy Statement — CanBorder eDeclaration Mobile App 


The CanBorder e-Declaration mobile application is designed to ensure your privacy and protect 
your personal information. This stand-alone application collects and stores only basic, non- 
sensitive information, to facilitate your arrival. When you scan your QR code at a Primary 
Inspection Kiosk in Canada, your information is transmitted securely to the CBSA. CBSA 
reconciles your eDeclaration with your legal name when you scan your travel document at the 
kiosk. After 24 hours, your QR code will automatically expire and all declaration data will be 
purged from the app. You can also manually delete all application data at any time. 


The information you are providing at the Primary Inspection Kiosk is collected under the 
authority of Section 12 of the Customs Act, Subsection 5(3), Reporting of Imported Goods 
Regulations, the Customs Tariff, the Immigration and Refugee Protection Act and/or the 
Proceeds of Crime (Money Laundering) and Terrorist Financing Act for the purposes of 
administering laws that enforce, prohibit, control or regulate the movement of persons, goods 
or currency into Canada. This includes facilitating compliance with reporting obligations under 
this legislation and the collection of duties and taxes owing on goods imported into Canada. 


Failure to provide/complete all the requested information will result in your referral to a Border 
Services Officer for in-person processing. 


This information may be used in support of ongoing CBSA investigation or enforcement 
activities. This information may also be disclosed to: 
+ Other government departments and agencies, police forces and other countries to 
administer laws that prohibit, control and regulate the importations of goods; 
+ Other government departments, such as Statistics Canada, the Public Health Agency of 
Canada, and Employment and Social Development Canada and for the purpose of statistical 
reporting public health and program integrity. 


Your photograph will be taken for the purposes of administration and/or enforcement of the 
Customs Act or Immigration and Refugee Protection Act and may also be used for the 
administration or enforcement of other legislation or regulations administered or enforced by 
the CBSA. It will also be retained in accordance with the Privacy Act. 


Individuals have the right of access to and/or can request corrections of their personal 
information under the Privacy Act. The information is described within info Source, Traveller 
Declaration cards Personal Information Bank CBSA PPU 018 at http://www.cbsa- 

| 2c.ca/ag fre /p/atip-aiprp/infosource-eng.html. Should you 
have € concerns bout the CBSA's ha ndling of your personol information you have a right to file a 
complaint with the Privacy Commissioner of Canada. 
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~ | EXECUTI 


The Temporary Foreign Worker Program (TFWP), governed by the Immigration and Refugee Protection 
Act (IRPA) and the immigration and Refugee Protection Regulations (IRPR), is jointly administered by 
Citizenship and Immigration Canada (CIC), Employment and Social Development Canada (ESDC) and the 
Canada Border Services Agency (CBSA). The TFWP allows Canadian employers to hire foreign nationals 
(FNs) to fill temporary labour and skill shortages when qualified Canadian citizens or permanent 
residents are unavailable. | 


On June 20, 2014, the Ministers of ESDC, and CIC announced comprehensive reforms to the TFWP, 
including the splitting of the TFWP into the following two programs: 


1. TFWP -includes all streams of work for which a Labour Market Impact Assessment (LMIA} is 
required; and 

2. International Mobility Program (IMP) — includes all streams of work that are LMIA-exempt 
under the /RPR. 


The Ministers also committed to improving TFW information sharing among federal departments and 
with provinces and territories. 


For employers who have been unable to recruit Canadian citizens or permanent residents for available 
jobs, the TFWP makes it possible to hire workers from abroad or qualified temporary foreign workers 
(TFWs) already in Canada. 


came to fil a temporary vacancy can transition to permanent residence if they meet certain 
requirements. These routes exist to ensure that workers who have shown that their skilis are in 
continuing demand and that they have already adapted well to life in Canada can build a future here. 


While most TFWs will be hired to address a specific, short-term labour need, some TFWs who initially 


The documents required for a FN to work legally in Canada vary based on the citizenship of the FN and 
the nature of the work to be performed in Canada. The documents required may include one or all of 
the following: 


1. Labour Market Impact Assessment 
An LMIA is a labour market verification process whereby ESDC assesses an offer of employment to 
ensure that the employment of a FN will not have a negative impact on the Canadian labour 
market. A positive LMIA from ESDC is generally required to support a work permit (WP) 
application, unless CIC deems the position LMIA-exempt, which depends on the occupation and 
specific case circumstances. In 2013, approximately 3896 of TFWs (176,613 individuals) required 
an LMIA, whereas 6296 (284,050) were LMIA-exempt. When an LMIA is required, an LMIA 
application (See Annex D) is submitted by the employer to ESDC. Employers may also submit a 
form authorizing a 3^ party representative to engage with ESDC/Service Canada for the purpose 
of the LMIA application (See Annex E). ESDC reviews the employer's application, ensures TFWP 
requirements are met, and assesses the likely impact of the TFW(s) on Canada's labour market. 
ESDC issues a positive LMIA (also known as an ESDC Confirmation) when the employment of the 

peo FN(s) is not expected to have a negative impact on Canada's labour market. 
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.2. Visa 
in addition to a WP, some prospective TFWs require a visa, which authorizes travel from the 
foreign country to Canada. Visas are an official counterfoil document, issued by a CIC visa office 
abroad which is placed in the FNs passport to show that he or she has met the requirements for 
travel to Canada as a temporary resident (a visitor, student or worker). Citizens of certain 
countries and territories require a visa to travel to Canada (e.g. Brazil), whereas citizens of other 
countries do not (e.g. United States of America). 


3. Work Permit 

In general, all FNs coming to work in Canada require a WP, unless otherwise exempted under 
section 186 of the IRPR. WP applications for visa-required FNs are submitted to CIC at a visa office 
abroad. If the WP application is approved, a "Letter of Introduction" is provided by CIC to the FN 
for presentation to the CBSA at the Port of Entry (POE). Visa-exempt FNs may apply for a WP 
directly at the POE upon arrivai in Canada. In these cases, the WP assessment is completed by the 
CBSA Border Services Officer (BSO). It is noted that CIC does not issue WPs abroad. The official WP 
document is only issued by the CBSA at the POE, if the necessary admissibility and eligibility 
criteria have been met. CBSA officers at POE make the final decision as to who may enter and 
work in Canada. 


In addition to the TFWP, the Federal Skilled Worker Program (FSWP) promotes the immigration of 
skilled workers to Canada. Under the FSWP, ESDC is required to provide an LMIA for the position being 
offered to the skilled worker. 


Roles of Each Government Institution 
The TFWP and the FSWP are jointly administered by ESDC, CIC and the CBSA. 


When an LMIA is required, ESDC reviews the employer's application, ensures appropriate program 
requirements are met, and assesses the likely impact of the employment of the FNs on Canada's labour 
market. Information collected and used to develop an LMIA includes: employer business and persona! 
information, personal information about the prospective foreign workers, and employer compliance 
information, including Employer Compliance Review (ECR) and Employer inspection results (if 
applicable). | 


CIC reviews visa and WP applications (primarily from visa-required FNs), issues visas and authorizes WPs 
when required. CIC is also responsible for the administration of the IMP. The IMP includes the 
Occupations and streams of work for which an LMIA is not required, and its primary objective is to 
advance Canada's broad economic and cultural interest. 


The CBSA performs an important role in the administration and enforcement of the TFWP, FSWP and 
the IMP by determining the admissibility of prospective foreign workers, issuing WPs at POEs, 
investigating and removing FNs who work illegally or are otherwise in Canada without status and 
investigating and prosecuting alleged offences under the IRPA. 
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Current and Future Information Sharing 

Historically, the CBSA and ESDC have exchanged information on companies and individuals to support 
the CBSA’s mandate to enforce IRPA/IRPR and ESDC’s role in providing an opinion on the impact that 
the employment of FNs is likely to have on Canada’s labour market, but this exchange has been in 
limited circumstances and only when it meets the criteria of s. 34(1) of ESDC's legislation, the 
Department of Employment and Social Development Act (DESDA). Conversely, the CBSA has provided 
information to ESDC on individuals and companies who are being prosecuted or have been convicted of 
criminal offences related to IRPA/IRPR; this information is used by ESDC to assist in processing current 
and future applications in the TFWP and FSWP. 


in Economic Action Plan 2013, the Government of Canada committed to reforming the TFWP to protect 
foreign workers from abuse and exploitation, and to reinforce the principle that Canadians should be 
considered first for available jobs. The 2014 Budget committed significant funding for ESDC to make 
changes to the LMIA process and introduce reforms relating to LMIA-exempt situations. The reforms to 
the TFWP are aimed at: 


e Reducing employer use and reliance on TFWs; 

e Ensuring that employers who abuse the Program face significant consequences; 
e Restricting access to the Program; and 

e improving labour market information. 


As part of these initiatives, ESDC will invest more time and money into identifying and deterring 
employer non-compliance with TFWP conditions. In addition, both CIC and ESDC intend to increase their 

os inspection activities and to seek authority to compel documents from third parties that establish 
employer non-compliance. As a result, CBSA referrals for criminal investigations are expected to 
increase. 


To facilitate the information sharing, the two departments agreed to work together to amend the 
Department of Employment and Social Development Regulations (DESDR) to recognize the CBSA as a 
prescribed federal institution for the purposes of section 35 of DESDA (i.e. a law enforcement body 
recognized in the Act), which would allow ESDC to disclose information collected under the TFWP and 
FSWP to the CBSA for the administration and enforcement of the IRPA. 


Further to those legislative/regulatory changes, an Information Sharing Agreement (ISA) was signed 
between the CBSA and ESDC to enumerate the personal information which will be exchanged between 
the two departments. The ISA is attached to this PIA as Annex J. 


As reflected in the ISA, data will be exchanged between the two institutions in one of three modes. First, 


so that BSOs can view LMIA data when the prospective TFW seeks entry to 
Canada. will be established and maintained by ESDC for both 
institutions to share information pursuant to the ISA. | will be available for 
a short period of time before it is removed (currently set at And lastly, in some cases, paper 
records 
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.… The personal information disclosed by ESDC to the CBSA will support the administration and 
enforcement of the IRPA/IRPR and will be limited to information collected on the LMIA application 
forms, other information related to the LMIA process, information received by ESDC via the TFWP's 
Online Fraud Reporting Tool, and Service Canada's Confidential Tip Line. Annexes C and D of the ISA 
stipulate the data elements which ESDC may disclose to the CBSA. 


The CBSA will provide information to ESDC regarding anyone who has submitted an application under 
the TFWP/FSWP and against whom charges have been laid as well as any convictions that may have 
been rendered. Annex E of the ISA stipulates the data elements which the CBSA may disclose to ESDC. 


Privacy Risks Identified in the Development of this PIA 
In assessing the ISA, the legislative changes, and work flows that support data exchanges between the 
CBSA and ESDC, the following privacy risks and corresponding mitigation activities were identified. 
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Risk Description Mitigation Activity 


| NR M | | All relevant staff will be made aware of the | 
There is a risk that personal information could 


| be disclosed to/by the CBSA and used for a 
purpose that is beyond the scope of the ISA. | 


parameters of the ISA and that disclosures 
to/by the CBSA must be limited to those | 


| d " .| authorized under the current ISA. Operational : 
Furthermore, there is a risk that CBSA staff 


| | "betae senec ne he Dd eee uta | guidance will be developed and provided to | 
x i duis i ids on in ve. E b j : | Staff that outlines the limitations of the ISA, as | 
and that an offence provision within DESDA | well as the applicable offence provisions 
may apply to them and the CBSA if they) ~~ ^ tom ctm Kids 

m i BE . "UNE i i | within DESDA. in addition, measures to | 
disclose information received from ESDC in | 


n appropriately identify ESDC information held | 
con'ravention to the ISA/DESDA. obs i 


— 


| There is a risk that information obtained from 


within CBSA systems will be introduced. 


The CBSA will implement procedures to clearly | 


1 


| identify ESDC records that are shared | 


ESDC pursuant to the ISA may be disclosed to a | "e oo. MN 
P - PN " pursuant to the ISA. This will apply to both 
i third party in contravention of the disclosure E u 
i | | | . paper records and data that are stored in 
| clauses of the ISA. Currently, information | aL 
2 | | uM CBSA systems. Furthermore, BSOs will be 
received from ESDC may not be appropriately : | 


| " TUUM | made aware that restrictions to the sharing of | 
identified/marked as originating from ESDC, |. | ae 
" | | uu | ESDC information also apply to information | 
and subject to the unique disclosure | | . | | 
A " obtained via the FWS-FOSS/FWS-GCMS one 
| rest ictions of the DESDA. 


| way interface. 
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This risk has been addresse 
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to the CBSA via the Online Fraud Re Reporti: ng 
| Tool 


- Nhen ESDC staff 
complete the CBSA Lead Referral Form, it may 


Division) 


be sent to CBSA (Criminal uL. d E 
———B à 


| When information is needed by the CBSA to | | The CBSA and ESDC will make every | 
: support legal proceedings (i.e. prosecution), a | reasonable effort to ensure that the 
request is sent to ESDC's TFWP transmission of information 
5 i However, there may be instances where | : 
with investigative details designated 
as Protected B information are sent to ESDC 
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Arranged Employment Opinion 

Access to information and Privacy 

Border Services Officer 

Computer-Assisted Immigration Processing System 
Canada Border Services Agency 

Criminal investigations Program 

Criminal investigations Information Management System 
Country of Birth 

Class of Record 


Department of Employment and Social Development Act 


Date of Birth 


. Departmental Security Officer 


Foreign National 

Field Operational Support System 
File Transfer Protocol 

Federal Skilled Worker Program 
Foreign Worker System 


Global Case Management System 


Government of Canada 


Headquarters 
Integrated Customs Enforcement System 


Inland Enforcement Operations Division 


International Mobility Program 


Intelligence Management System 


Intelligence Analyst 


Intelligence Officer 
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Intelligence Operations and Analysis Division 


Information Sharing Agreement 


Integrity Services Branch (within ESDC) 


. Letter of Understanding 


information Technology/Information Management 
Labour Market impact Assessment 


Labour Market Opinion 


Memorandum of Understanding 


North American Free Trade Agreement 
National Case Management System 
Online Fraud Reporting Tool 

Office of the Privacy Commissioner of Canada 
Privacy Act 

Policy on Government Security 

Privacy Oversight Committee 

Public Prosecution Service of Canada 
Privacy Impact Assessment 

Personal Information Bank 

Port of Entry 

Permanent Resident 


Security Assessment and Authorization 


Temporary Resident 
Threat and Risk Assessment 


Temporary Resident Visa 


. Vice-President 


Virtual Private Network 


Written Collaborative Agreement 


Work Permit 
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Action Plan . The Action Plan describes the steps that the Program will take to address risks that have 
been identified by ATIP Division, OPC and TBS. 


Administrative purpose The Privacy Act defines an “administrative purpose" to be the use of an individual's 
personal information in a decision-making process that directly affects that individual. 


. Confidentiality The Government Security Policy (2002) defines “confidentiality” to be the attribute that 

| mandates that the information concerned must not be disclosed to unauthorized 
individuals, because of the resulting injury to national or other interests, and more 
specifically, because such disclosure would be contrary to provisions of the Access to 
Information Act and the Privacy Act. 


Consistent use A use that has a reasonable and direct connection to the original purpose(s) for which the 
information was obtained or compiled. This means that the original purpose and the 
proposed purpose are so closely related that the individual would expect that the 
information would be used for the consistent purpose, even if the use is not spelled out. 


Data Matching A comparison of personal data obtained from a variety of sources, including personal 
information banks, for the purpose of making decisions about the individuals to whom the 
data pertains. Data matching is a specialized activity involving the collection, use and 
disclosure of personal information that is subject to the various requirements of the 
Privacy Act. | 


info Source [s a series of annual Treasury Board Secretariat publications in which government 
institutions are required to describe their institutions, program responsibilities and 
information holdings, including PIBs and classes of personal information. The descriptions 
are to contain sufficient clarity and detail to facilitate the exercise of the right of access 
under the Privacy Act. Data-matching activities, use of the SIN and all activities for which 
privacy impact assessments were conducted have to be cited in /nfo Source PIBs, as 
applicable. The /nfo Source publications also provide contact information for government 
institutions as well as summaries of court cases and statistics on access requests. 


Personal Information Personal Information: Information about an identifiable individual as defined in section 3 
of the Privacy Act. This definition, although lengthy, is not exhaustive, as indicated by the 
introductory phrase, "including, without restricting the generality of the foregoing". 
Information that is not specifically mentioned in the list may still be included in the 
definition of personal information if it qualifies as "information about an identifiable 
individual". 


Personal Information ls a description of personal information that is organized and retrievable by a person's 

Bank name or by an identifying number, symbol or other particular assigned oniy to that 
person. The personal information described in the personal information bank has been 
used, is being used, or is available for an administrative purpose and is under the control 
of a government institution. 


Privacy The Office of the Privacy Commissioner of Canada describes “privacy” as “. the right to 
control access to one's person and information about one's self. The right to privacy means 
that individuals get to decide what and how much information to give up, to whom it is 
given, and for what uses." 


The Temporary Foreign Worker Program (TFWP) is governed by the Immigration and Refugee Protection 
Act (IRPA) and the Immigration and Refugee Protection Regulations (IRPR), and is jointly administered by 
Citizenship and Immigration Canada (CIC), Employment and Social Development Canada (ESDC) and the 
Canada Border Services Agency (CBSA). The Program enables employers in Canada to bring over 300,000 


when Canadian citizens or permanent residents are unavailable. 


For employers who have been unabie to recruit Canadian citizens or permanent residents for available 
jobs, the TFWP makes it possible to hire workers from abroad or qualified foreign workers already in 
Canada. 


While most TFWs will be hired to address a specific, short-term labour need, some TFWs who initially 
came to fill a temporary vacancy can transition to permanent residence if they meet certain 
requirements. These routes exist to ensure that workers who have shown that their skills are in 
continuing demand and that they have already adapted well to life in Canada can build a future here. 


A. Overview of the Program 
The following requirements may apply to an applicant under the TEWP, depending on the particular 


* 


circumstances of the case: 


1. Labour Market Impact Assessment 
An employer usually must request a Labour Market Impact Assessment (LMIA), issued by ESDC, 
before hiring a foreign worker. 


A positive LMIA from ESDC is generally required to support a work permit (WP) application, 
unless CIC deems the position to be LMIA-exempt, which depends on the occupation and case 
specific circumstances. In 2013, approximately 3896 of TFWs (176,613 individuals) required an 
LMIA; whereas 62% (284,050) were LMIA-exempt. When an LMIA is required, an LMIA 
application (See Annex D) is submitted by the employer to ESDC. Employers may also submit a 
form authorizing a 3rd party representative to engage with ESDC/Service Canada for the 
purpose of the LMIA application (See Annex E). ESDC reviews the employer's application, 
ensures TFWP requirements are met, and assesses the likely impact of the TFW(s) on Canada's 
labour market. ESDC issues a positive LMIA (also known as an ESDC Confirmation) when the 
employment of the foreign nationals (FNs) is not expected to have a negative impact on 
Canada's labour market. 


2. Visa 
some prospective TFWs require a visa, which authorizes travel from the foreign country to 
Canada. Visas are an official counterfoil document, issued by a CIC visa office abroad which is 
placed in a FN's passport to show that he or she has met the requirements for travel to Canada 
as a temporary resident (a visitor, student or worker). Citizens of certain countries and 
territories require a visa to travel to Canada (e.g. Brazil), whereas citizens of other countries do 
not (e.g. United States of America). 
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atte, 3. Work Permit 
A WP is a document that authorizes a person to work legally in Canada. it sets out conditions for 
the worker such as: 


e the type of work they can do; 

e the employer they can work for; 
e where they can work; and 

e how long they can work. 


In general, ali FNs coming to work in Canada require a WP, unless otherwise exempted under 
section 186 of the IRPR. WP applications for visa-required FNs are submitted to CIC at a visa 
office abroad. if the WP application is approved, a “Letter of Introduction" is provided by CIC to 
the FN for presentation to the CBSA at the POE. Visa-exempt FNs may apply for a WP directly at 
the POE upon arrival in Canada. In these cases, the WP assessment is completed by the CBSA 
Border Services Officer (BSO). It is noted that CIC does not issue WPs abroad. The official WP 
document is only issued by the CBSA at the POE, if the necessary admissibility and eligibility 
criteria have been met. CBSA officers at POE make the final decision as to who may enter and 
work in Canada. 


Depending on the circumstances of the employer and the FN, a WP, visa, and/or LMIA may be 
required. Table 1 provides a few examples of when one, two, or all three may be required. 


_ An American professional hockey 
| player, playing for a team in the 

| United States, travels to Montreal for 
! a game. 


Not Required Not Required Not Required 


| American university travels to Canada Not Required Required Not Required 


| An American travels to Canada to 

| perform emergency repairs on 

| commercial/industrial equipment 

| that, while unrepaired, is disrupting 


Required | . Not Required Not Required 


2 
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| A Brazilian nanny being hired by a 


| family residing in Canada. 


Required | Required 


B. Federal Skilled Worker Program (assessed under section 82 and section 203 of IRPR 
On May 4, 2013 the LMIA replaced the former Arranged Employment Opinion (AEO) that was provided 
by Service Canada to employers who have made an offer of permanent employment to a skilled 
temporary foreign worker (TFW) in support of their application for permanent residence. Under the 
FSWP, ESDC and Service Canada are mandated to provide an opinion on an employer's permanent, full- 
time job offer to a TFW. If a positive LMIA is issued, the foreign national may receive 10 points to 
support their permanent residence application for having "arranged employment" in Canada. 
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Under the FSWP, the definition of "arranged employment" has not changed and means an offer of 
employment in an occupation listed in Skill Type O Management Occupations or Skill Level A or B of the 
National Occupational Classification matrix. Refer to R182 of IRPR for more details. 


C. Rolesand Responsibilities 


The TFWP and the FSWP are jointly administered by ESDC, CIC and the CBSA. The specific roles of each 
organization are detailed below. 


1. ESDC 

ESDC is mandated under the IRPA to provide an assessment of the potential labour market impact of the 
entry of TFWs into Canada's workforce, in the form of the LMIA; formerly called a Labour Market 
Opinion (LMO). Information collected and used to develop an LMIA includes: employer business and 
personal information, personal information about the prospective foreign workers, and employer 


(if applicable). When an LMIA is required, ESDC reviews the employer's application, ensures appropriate 
program requirements are met, and assesses the likely impact of the employment of the FNs on 
Canada's labour market. 


As reflected in the Privacy Notice Statement on an LMIA, the information provided by employers on an 
LMIA application may be shared with CIC for the administration and enforcement of the IRPA and IRPR 
as permitted by the Department of Employment and Social Development Act (DESDAY, and may be 
accessed by the CBSA for the purpose of issuing WPs at POEs. ESDC may aiso provide information to 
CBSA in order for that agency to investigate and enforce the IRPA and IRPR in relation to an LMIA. 


FSDC also performs ECRs and employer inspections to ensure compliance with program requirements. 


2. CIC 

CIC is responsible for reviewing and processing visas and WPs, and issues visas and authorizes WPs 
when required. Following receipt of a WP application including a copy of the ESDC confirmation letter 
that confirms the employer received a positive LMIA (when required), a CIC visa office abroad reviews 
the application and, after assessing both program and admissibility requirements, either approves or 
refuses the WP application. If the WP application is approved, CIC will issue a "Letter of Introduction" to 
the FN. 


Also, CIC administers the International Mobility Programs (IMP), which allows particular TFWs to be 
LMIA-exempt. For example, labour mobility is a key part of the North American Free Trade Agreement 
(NAFTA). NAFTA provides reciprocal benefits, allowing FNs in certain occupations from partner countries 
to work in Canada without the requirement to obtain an LMIA, as well as allowing Canadians to work 
abroad with similar privileges. While about 12,000 Americans worked in Canada through the NAFTA 
professional occupation provision in 2011, the number of Canadians working in the United States 
through the same provision more than tripled that, with about 39,000 in all. 


By exempting some FNs from needing an LMIA before being able to work in Canada, the IMP aims to 
provide competitive advantages to Canada and reciprocal benefits to Canadians. 


pn 
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As part of its responsibilities to administer the TFWP and the IMP, CIC is also responsible for inspections 
of IMP employers. This authority was introduced in 2013 via amendments to the IRPA/IRPR. To date, 
however, CIC has not undertaken any inspection activities under the new authority. CIC will be entering 
into an arrangement with Service Canada so that Service Canada’s Integrity Services Branch will perform 
certain IMP inspections on behalf of CIC. 


3. CBSA 
The CBSA is responsible for the administration and enforcement of the TFWP and the FSWP at Canadian 
POEs and inland. 


CBSA officers at POE determine the admissibility of FNs to Canada, assess WP applications (for visa- 
exempt FNs), verify the eligibility of prospective foreign workers, and issue WPs, if the necessary criteria 
are met. When a WP is issued, the BSO will explain any associated conditions. For WP applications that 
are assessed by CIC at a visa office abroad, if CIC approves the WP application a “Letter of Introduction” 
is issued. However, the final determination of a FN's admissibility to Canada can only be made by a BSO 
at the time the FN seeks entry into Canada. The decision to issue a WP to any FN rests with the BSO in 
accordance with the requirements of the IRPA and IRPR. As such, FNs seeking entry to work in Canada 
are not guaranteed a WP, even if CIC issues the “Letter of Introduction’. 


CBSA inland or regional enforcement offices are responsible for the investigation and removal of FNs 
who are in violation of the IRPA, whether that is because they did not obtain the required authorisation 
prior to working in Canada, or because they remained in Canada beyond the period authorised for their 
stay. More specifically, inland enforcement officers will investigate FNs who are suspected or alleged to 
be working illegally, they will work to obtain the appropriate removal order, they will detain where 
necessary, and will oversee the removal of the person concerned. Where the FN or the party employing 
that FN has engaged in activity that constitutes an offence under the IRPA, the CBSA Criminal 
Investigations Program (CIP) will undertake a criminal investigation, prepare and lay the relevant 
charges under the IRPA, and work with the Public Prosecution Service of Canada to secure a conviction 
for the offence or offences committed. The CBSA CIP may also investigate and prosecute any other 
parties to an offence, such as immigration consultants who counsel misrepresentation or otherwise 
facilitate TFWP fraud. The CBSA intelligence Operations and Analysis Division (IOAD) provides 
intelligence support to the immigration enforcement and criminal investigations programs by collecting, 
assessing, and disseminating information about suspected or actual contraventions of border-related 
legislation and programs, including the IRPA and TFWP. 


D. Previous Privacy impact Assessment and Historical Sharing of Information 


Historically, the CBSA and ESDC have shared information regarding FNs, employers, and third parties, as 
reflected in the 2011 CBSA TFWP PIA, Sharing of information was conducted pursuant to subsection 
34(1) of DESDA which provides ESDC with the authority to make personal information available to CBSA 
for the administration or enforcement of sections 82 and 203 of the IRPR. 


The CBSA has historically shared information with ESDC regarding pending criminal prosecutions of 
individuals and companies, which assist ESDC in assessing current and future LMIAs. 


Although the 2011 PIA recommended that the limited historical information sharing between ESDC and 
the CBSA be formalized, a Letter of Understanding (LOU) was not signed by the respective parties until 
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May 2014. Subsequently, an information Sharing Agreement (ISA) was negotiated and signed in April 
2015, to reflect an amendment to the DESDR that would expand information sharing between the two 
parties, This PIA reflects the changes introduced by the regulatory amendment and the ISA. 


E. Overall Changes/Effect on the CBSA 


In Economic Action Plan 2013, the Government of Canada committed to reforming the TFWP by 
protecting foreign workers from abuse and exploitation, and reinforcing the principle that Canadians be 
given the first chance to be selected for available jobs. The 2014 Budget committed significant funding 
for ESDC to make changes to the LMIA process and introduce reforms relating to LMIA-exempt 
situations. The reforms to the TFWP are aimed at: 


e reducing employer use and reliance on temporary foreign workers (TFWs); 
Ensuring that employers who abuse the Program face significant consequences; 

e Restricting access to the Program; and, 

e Improving labour market information. 


As part of these initiatives, ESDC will be investing more time and money into identifying and deterring 
employer misconduct with the TFWP conditions. In addition, both CIC and ESDC intend to increase their 
inspection activities and to seek authority to compel documents from third parties that could prove 
employer non-compliance. As a resuit, referrals to the CBSA for potential criminal investigation are 
expected to increase. 


To facilitate information sharing, the two departments agreed to work together to amend the DESDR to 
recognize CBSA as a prescribed federal institution for the purposes of section 35 of DESDA (i.e. a law 
enforcement body recognized in the Act), which would allow ESDC to disclose data to the CBSA for the 
broader administration and enforcement of the IRPA. The relevant sections of the DESDA and DESDR are 
as follows: 


Section 35(1) of the DESDA states: "li]nformation may be made available to a 
minister or a public officer of a prescribed federal institution for the 
administration or enforcement of a prescribed federal or provincial law or 
activity if the Minister considers it advisable and the information is made 
available subject to conditions that are agreed on by the Minister and the 
federal institution." 


Section 3 of the DESDR states: For the purpose of subsection 35(1) of the Act, 
information that is obtained, or prepared from information that is obtained, 
under any program other than the Canada Pension Plan or the Old Age Security 
Act may be made available to the following..." 
(a) the Canada Revenue Agency, for the administration or enforcement 
of the Income Tax Act; 


(/) the Canada Border Services Agency, for the administration or 
enforcement of the immigration and Refugee Protection Act.” 
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F. Information Sharing Agreement (ISA) Between ESDC and the CBSA 
The final version of the ISA, which is attached as Annex J, came into force on April 16, 2015. 


Details on the types of information to be exchanged between ESDC and the CBSA are described in 
Section 3 (Purpose of the ISA). 


The iSA formalizes the exchange of information between the two institutions, including ample privacy 
protection clauses consistent with TBS's Guideline on Preparing information Sharing Agreements 
involving Personal Information, and describes the specific personal information which will be shared, as 
well as the manner in which it will be shared, as follows: 


1. Disclosure of ESDC Information to CBSA 


Personal information may be disclosed to the CBSA for the administration and enforcement of 
the TFWP and the IRPA. This includes, but may not be limited to, the issuance of work permits, 
determinations of admissibility, immigration and criminal investigations, and the development 
of intelligence products. 


Annex C of the ISA (Section 2) lists the data elements which may be disclosed by ESDC upon 
request of the CBSA, or on ESDC's own initiative. 


ESDC may disclose to the CBSA the personal information listed in Annex C, Section 2, and Annex 
D, Section 2 of the ISA, under section 35(1) of the DESDA. 


2. Disclosure of CBSA Information to ESDC 


In addition to the CBSA receiving information from ESDC, the Agency may disclose data to ESDC 
under the newly signed ISA. 


in accordance with the ISA, the CBSA may provide information to ESDC for the purpose of 
administering and enforcing the TFWP and other activities assigned to ESDC under the IRPA and 
the IRPR. Annex E, Sections 2.1 through 2.3 of the ISA provides the data elements that may be 
disclosed to ESDC by the CBSA upon request, or on its own initiative, as appropriate, for the 
purpose of assessing LMIA requests, reviewing LMIAs, and conducting inspections under the 
IRPR. 


The CBSA will endeavour to inform ESDC prior to undertaking public communication activities 
related to a TFWP-related criminal investigation. 

G. Methods of Sharing Information (ESDC and CBSA) 

The ISA between ESDC and the CBSA stipulates that information may be shared through system 


interfaces or through other means. Specifically, the information will be shared as reflected in the table 
below and depicted in Figure 1. 


Canada Border Services Agency 
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ESDC will share information with the CBSA primarily through the When required 
information is unavailable through this view-only access, the information will be made available through 
secure courier, 


The will be established to allow for relevant personal 
information. ESDC will maintain the and CBSA will have access to it in order to deposit or extract 
information as set out in the ISA. Information will be on a case-by-case basis as 
requested by either organization. The requesting organization will be notified via email that the files 
have been and that the requestor has to download them; after which the 
files will be deleted. The FTP site will be protected from unauthorized access by using 
BEES capability to access and use the Approved users will be 
to retrieve source files. ESDC will be capable of auditing the activity of all 
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H. Information Systems 
The following describes the ESDC and CBSA information systems utilized to support the ISA. 


i. ESDC— Foreign Worker System (FWS) 
The FWS is ESDC's single, integrated system used internally to process applications for LMIAs 
and to track employer compliance with Program requirements. The FWS stores only the types of 
personal information required to process LMIAs and conduct assessments of employer 
compliance. The type of personal information collected includes, but is not limited to: 


e Client identification: family name, give names, gender, date or birth (DOB), country of 
birth (COB), etc. 

e Contact information, including history 

e Job offer information 

e Compliance history, etc. 


As reflected in Figure 1 above, the FWS maintains an interface with FOSS and GCMS both of 
which are systems maintained by CIC and for which CBSA staff have various user rights profiles. 


2. ESDC SharePoint 
ESDC maintains a SharePoint site which stores various types of data that may be of benefit to a 
CB5A investigation or intelligence effort. For example, information received via ESDC's Online 
Fraud Reporting Tool (See Section 4.3 of this PIA) is stored in SharePoint. Data, reports, or forms 
that are stored on SharePoint may be shared by ESDC in accordance with the 
ISA. 


3. CBSA — Field Operational Support System (FOSS) 
FOSS is CIC's ageing immigration system. At the writing of this PIA, an interface to FOSS remains, 
but will be replaced by an interface to GCMS prior to the decommissioning of FOSS, 


FOSS and GCMS exist in parallel to ensure that both systems maintain accurate data. An 
interface exists between FOSS and GCMS sharing transactional data to ensure both systems 
maintain similar data until FOSS is decommissioned. 


Until such time that FOSS is decommissioned, the FWS-FOSS and FWS-GCMS interfaces will 
remain, The FWS-FOSS interface will cease when FOSS is decommissioned, expected by 
December 2015. 


4. CBSA Global Case Management System (GCMS) 
The GCMS is CIC's single, integrated and worldwide system used internally to process 
applications for citizenship and immigration services. GCMS stores only the type of personal 
information required to process citizenship and immigration clients. The type of personal 
information collected includes, but is not limited to: client identification, contact information 
and educational and employment information. 
CBSA has various user rights within GCMS; mostly "view only" access. The FWS-FOSS and EWS- 
GCMS interface allow CBSA users view only access to FWS data. The interface does not support 
FOSS or GCMS data being transmitted to FWS. 
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5. CBSA - Integrated Customs Enforcement System (ICES) 
The Integrated Customs Enforcement System (ICES) is the CBSA's primary customs enforcement 
system at POEs. As such, ICES is the repository for enforcement-related information. This 
includes records of seizures and other enforcement actions, lookouts, intelligence, and 
information from external sources relating to enforcement. 


ICES provides enforcement action data capture, lookout creation and dissemination, query and 
reporting available 24/7, 365 days a year. All information contained within ICES is classified as 
Protected B. 


ICES also includes information on traveller history and vehicle passage history which enables the 
CBSA to fully measure, evaluate and report on the performance of the enforcement program 
and its related activities. 


ICES is designed to support both the front line officers and the intelligence and investigations 
resources' ability to collect, analyze and disseminate the information necessary to identify and 
react to border-related risks. 


Information de FNs RR E to Canada, dic. those Seng dais under the 
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ent 6. National Case Management System (NCMS) 
The National Case Management System (NCMS) is the CBSA's primary immi ration enforcement 
case management system which interfaces with FOSS and GCMS. Dedicated to serving the needs 
of Immigration Enforcement Officers, NCMS is a web-enabled immigration enforcement case 
tracking tool that tracks approximately 1,000 new enforcement cases per week. The database 
contains over 150,000 active enforcement cases and more than 500,000 historical records. 


7. CBSA Criminal Investigation Information Management System (CIIMS) 
CUMS is the principal information management system used by employees in the CBSA's CIP. 
CUMS is an information management, as opposed to a case management system. 


CIMS is scheduled to be replaced by an information/case management system in FY 2016-17. 


8. CBSA - Intelligence Management System (IMS) 
information shared by ESDC may be provided to CBSA's HQ and regional intelligence units, 
which store all information/intelligence in their dedicated case management application; the 
IMS. Access to the IMS is restricted to IOAD staff, regional intelligence units, the National 
Security Screening Division, the Border Operations Centre, National Targeting Centre, and CIP. 
Some of these units have read only access. For the purposes of fulfilling its mandate some IOAD 
data is disclosed to BSOs, IEOD or other internal and external partners. 


it is further noted that some users, such as BSOs and IEOD, have some access to IMS through 
the Occurrence Reporting System (ORS), which enables them to input data to IMS, but prohibits 
them from viewing any data. These same users are able to utilize ORS to query IMS, which 
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presents a "hit list" for their subject query. These users must contact an IO for further details on 
the "hit list". 


Secure Tracking System (STS) 

The Secure Tracking System (STS) contains information regarding FNs who have had a security 
screening check completed, or have one underway as a result of an application to enter Canada. 
in some instances, STS may contain information on FN's involved in and/or associated with any 
organization involved in war crimes, crimes against humanity and/or terrorist activities, 
organized crime, money laundering, terrorist financing, human smuggling, or persons associated 
with criminal organizations, and whose admission or presence in Canada may be contrary to 
immigration or citizenship legislation. 


The primary role of STS is to assist in screening Temporary and Permanent Resident (TR/PR) visa 
applications. 


STS has a full text storage capability that contains information gathered by intelligence units 
including Canadian and foreign investigative bodies and law enforcement agencies. The system 
tracks individuals, their actions and associations. It enables the exchange of screening requests 
between missions and HQ, and assists in vetting all visitors and groups seeking to come to 
Canada or those already in Canada as visitors, as TR, PR, or naturalized citizens known to or 
suspected of engaging in activities contrary to the IRPA. The information contained in STS may 
be used in the administration of immigration legislation. 


in limited circumstances, IOAD and regional intelligence units may store information collected 
from ESDC in STS. 


User Rights and Audit Trails Within CBSA Systems 


The CBSA systems described above include a variety of security features to protect the sensitive 
information that is stored within them. Access to various sections within the systems is granted 
on a "profile" basis. The profile assigned to a user dictates which sections of the application the 
user can access, as well as what information can be viewed or edited. The systems described 
above also utilize a detailed audit trail that keeps track of the dates and times users' access, edit 
and view the various records. 


Scope of this PIA 


The scope of this PIA is limited to CBSA activities that fall under the ISA between the CBSA and ESDC. It is 
intended to complement a parallel PIA being authored by ESDC on the ISA. While the ESDC PIA 
addresses the Department's regulatory reform to support information sharing and the ISA, the CBSA's 


PIA is limited in scope to the manner in which the CBSA will request, use, store, protect and disclose 


information under the ISA. 
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Report Objectives 


This report is a PIA regarding the ISA between the CBSA and ESDC. The objectives of this PIA are: 


e to review the business processes in order to identify the data flow of personal information; 
e to analyze the collection, use, disclosure and retention of personal information; 

» to determine if there are privacy risks associated with the ESDC information exchange; and 
e to provide recommendations on the mitigation or elimination of the risks. 


The information presented in this report follows the TBS Directive on Privacy Impact Assessment and its 
related directives and guidelines. 

The purpose of a PIA process is to ensure that privacy is considered throughout the project development 
cycle. The results of a PIA are a documented guarantee that privacy issues have been identified and 
adequately addressed. 


Government Institution: Canada Border Services Agency, Programs Branch 


Head of the government institution 
section 10 of the Privacy Act 


Government Official Responsible for the Privacy 


Impact Assessment 


Peter Hill Dan TNT 
A/Vice President, Programs Branch Director, Access to Information and Privacy (ATIP) 


Name of Program or Activity of the Government Institution: 


Description of Program or Activity: 


Canada Border Services Agency 
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—— Program 1.4: Criminal Investigations 


Under the Criminal Investigations Program, the CBSA protects the integrity of border-related legislation and 


contributes to public safety and Canada's economic security by investigating and pursuing the prosecution of 
persons who commit criminal offences in contravention of Canada's border-related legislation. 


CBSA investigators review potential border legislation violations and gather evidence using a variety of 
investigative techniques, including search warrants and production orders. These violations include criminal - 
offences under the Customs Act, Immigration and Refugee Protection Act, various food/plant and animal : 
legislation, and other border-related legislation. In conjunction with the Public Prosecution Service of | 
Canada, the CBSA pursues the prosecution of individuals or business entities who violate Canada's border- 
related legislation. 


Program 1.5: Immigration Enforcement 


The Immigration Enforcement Program determines whether foreign nationals and permanent residents who 
are or may be inadmissible to Canada are identified and investigated, detained, monitored and/or removed 
from Canada. 


Foreign nationals and permanent residents of Canada believed to be inadmissible are investigated and may 
have a report written against them by a CBSA inland enforcement officer. Depending on the type of 
inadmissibility, the merits of the report are reviewed by either a Minister's delegate or an independent 
decision maker at the Immigration and Refugee Board of Canada (IRB) where a CBSA hearings officer 
represents the Minister of Public Safety and Emergency Preparedness. Subsequent to this review, a removal 
order may be issued against the foreign national or permanent resident in question. Removal orders issued 
against refugee claimants are conditional and do not come into force until the claim is abandoned, 


Description: Describes records related to the Temporary Foreign Worker Program. May include records 
related to the use of electronic systems used to administer or manage the program including the Citizenship 
and Immigration Canada's Field Operations Support System (FOSS), Computer-Assisted Immigration 


a Proposal for a New Personal Information Bank 
| | Proposal to modify an existing Personal Information Bank - identify PIB registration number and current 
description: 


E 


TFWP ISA with ESDC - PIA 


Temporary Foreign Worker Program (CBSA PPU 050) 


Description: This bank describes information that is related to the administration of the Temporary Foreign 
Worker Program. The personal information may include name, aliases, contact information, biographical 
information, citizenship status, criminal checks/history, date of birth, gender, educational information, 
employee identification number, passport number, client identification number, work permit number, 
temporary visa number, other identification numbers, language, medical information, physical attributes, 
place of birth, signature and last country of residence. 


Information Request form, individuals requesting information described by this bank must provide the 
Name, aliases, date of birth, Client identification number (also known as Field Operations Support System 
(FOSS) number, work' permit number, citizenship. Information may be stored in the following internal 
systems / databases: Field Operational Support System (FOSS), Global Case Management System (GCMS), 
Computer Assisted immigration Processing System (CAIPS). 


There are two related PIBs and CORs for Criminal Investigations and Intelligence. Those are reflected below: 


Descri 


ption of the CORs associated with the program or activity: 


Description: Describes records related to the investigation of individuals and entities suspected of 
committing offences against Canada's border legislation, such as the Customs Act and/or the Immigration 
and Refugee Protection Act (IRPA), and any subsequent or related prosecution. 


Note: Records may be found in the following systems: Criminal Investigations Information Management 


System (CIIMS), the Intelligence Management System (IMS), the Integrated Customs Enforcement System 


(ICES), the Field Operations Support System (FOSS), the National Case Management System (NCMS), the 


Global Case Management System (GCMS), the Automated Import Reference System (AIRS), the Accelerated 


Commercial Release Operations Support System (ACROSS) and the Canadian Police Information Center 


(CPIC). 


Class of Record Number: CBSA ENF 123 
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Criminal Investigations Program (CBSA PPU 1402) 


Description: This bank describes information that is about individuals subject to criminal investigation by 
the CBSA. Personal information may include photographs, name, contact information, biographical 
information, biometric information, citizenship status, credit information, criminal checks/history, date of 
birth, date of death, educational information, financial information, personal identification numbers, 
physical attributes, place of birth, place of death, signature, identity/travel document, residence history, 
phone records, computer records, caution flags, business records, import/export information, customs 
infractions and seizures, immigration violations and offences, travel history. 


Note: In addition to the requirements specified on the Treasury Board of Canada Secretariat Personal 
Information Request form, individuals requesting information described by this bank must provide the 
incident and location. Personal information may be stored in the following systems: the Criminal 
Investigations Information System (CIIMS), the Intelligence Management System (IMS), the Integrated 
Customs Enforcement System (ICES), the Automated Import Reference System (AIRS), the Accelerated 
Commercial Release Operations Support System (ACROSS), the Field Operations Support System (FOSS), the 
Global Case Management System (GCMS), the National Case Management System (NCMS), the Secure 
Tracking System (STS) and the Canadian Police Information Centre (CPIC). 


vane | Description: Describes records related to intelligence activities concerning individuals and entities that are of 
_ interest to the CBSA in connection to smuggling and contraband, irregular migration, immigration fraud, and 
_ inadmissibility and terrorism in support of CBSA's border enforcement mandate. 


. Note: Records may be found in the following systems: the Intelligence Management System (IMS), 
the Support System for Intelligence (SSI), the Integrated Customs Enforcement System (ICES), the Field 
_ Operations Support System (FOSS), the National Case Management System (NCMS), the Global Case 


Class of Record Number: CBSA ENF 1401 
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Intelligence Program (CBSA PPU 035) 


Description: This bank describes information that is about individuals suspected of involvement in 
contraband smuggling, money laundering, terrorist financing, immigration fraud, irregular migration, 
human smuggling and/or trafficking, terrorism, or other border related enforcement and security concerns. 
Also includes information on individuals suspected of being inadmissible to Canada. Personal information 
may include name, contact information, biographical information, biometric information, citizenship status, 
credit information, criminal checks/history, date of birth, educational information, financial information, 
travel/identity documents, personal identification numbers, physical attributes, place of birth, signature, 
import/export information, customs infractions and/or seizures, traveller history and immigration 
violations. 


Note: In addition to the requirements specified on the Treasury Board of Canada Secretariat Personal 
information Request form, individuals requesting information described by this bank must provide the 
incident and location. Personal Information may be stored in the following systems: the Intelligence 
Management System (IMS), the Support System for Intelligence (SSI), the Secure Tracking System (STS), the 
Integrated Customs Enforcement System (ICES), the National Case Management System (NCSM), the Field 
Operations Support System (FOSS), the Global Case Management System (GCMS) and the Canadian Police 
Information Center (CPIC). 


| |Proposed new Standard Personal information Bank 
Ww Proposal to modify an existing Standard Personal information Bank - identify Standard PIB number and 
current description: 


N/A 


Legal Authority for Program or Activity: 


With respect to the CBSA-EDSC TFWP ISA, personal information is collected pursuant to Sections 11, 20 and 22 
of the Immigration and Refugee Protection Act (IRPA) and Part 11 of the immigration and Refugee Protection 


Regulations (IRPR). 


In addition to what is identified in the ISA, personal information is also collected by the CBSA under sections 15, 


16, and 18 of the IRPA and s. 5 of the CBSA Act. 


Also, Pursuant to paragraph 8(2)(a) of the Privacy Act, and under section 209.92 of IRPR, the CBSA has the 
authority to disclose information related to the TFWP to ESDC for the administration or enforcement of the 


TFWP, the FSWP and the IMP. 


Summary of the project, initiative, or change: 
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The TFWP enables employers to hire TFWs as a last resort to meet their short-term labour and skills needs 
when qualified Canadian citizens or permanent residents are not available, while respecting international trade 
agreements and other partnerships. The FSWP is a pathway to permanent residence for high skilled foreign 
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nationals who are looking to become established in Canada. The TFWP and FSWP are jointly managed by ESDC - 


and CIC under the authority of the IRPA and IRPR. 


The LMIA (issued by ESDC) determines whether the employment of a TFW is likely to have a positive or | 
negative effect on the Canadian labour market. Information collected and used for this assessment includes: - 
employer business and personal information, TFW personal information and employer compliance information 
(including Employer Compliance Review (ECR) or Inspection results). ESDC also issues LMIAs for permanent | 


resident applicants under the FSWP. 


The IMP, managed by CIC under the authority of the IRPA and IRPR, includes streams of work for which an | 
LMIA is not required. its primary objective is to advance Canada's broad economic and cultural natural interest, | 


rather than filling a particular job. 


The CBSA's role in the TFWP, FSWP and IMP includes determining the admissibility of foreign nationals to 
Canada and determining whether to issue work permits at POE. The CBSA is also responsible for investigating - 
cases of possible criminal activity under the IRPA, ranging from misrepresentation by an employer on an LMIA - 


are in contravention of Canada's immigration legislation. 


application (i.e. false, misleading or fraudulent information) to locating and removing FNs, including TFWs, who - 


ESDC has amended the DESDR to identify the CBSA as an organization to which information can be disclosed 


under s. 35(1) of the DESDA. Prior to the regulatory amendment, ESDC could only share information with the 
CBSA pursuant to subsection 34(1). 


In April 2015, an ISA was signed between ESDC and the CBSA to enumerate the personal information which 
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E SECTION 2 - RISK AREA IDENTIFICATION AND CATEGORIZATION 


Type of Program or Activity Level of Risk 


Program or activity that does NOT involve a decision about an identifiable individual Be 


Personal information is used strictly for statistical / research or evaluations including mailing list where no 
decisions are made that directly have an impact on an identifiable individual. 

The Directive on PIA applies to administrative use of personal information. The Policy on Privacy Protection 
requires that government institutions establish an institutional Privacy Protocol for addressing non- 
administrative uses of personal information. The CBSA Privacy Protocol must be implemented. Contact the 
ATIP Division before continuing the PIA. 


Administration of Programs / Activity and Services 
Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility 
for programs including authentication for accessing programs/services, administering program payments, 
overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc...). 


Compliance / Regulatory investigations and enforcement 
Personal information is used for purposes of detecting fraud or investigating possible abuses within 
programs where the consequences are administrative in nature (i.e. a fine, discontinuation of benefits, audit 
of personal income tax file or deportation in cases where national security and/or criminal enforcement is 
notan issue). 


Criminal investigation and enforcement / National Security 4 


Personal information is used for investigations and enforcement in a criminal context (i.e. decisions may lead 
to criminal charges/sanctions or deportation for reasons of national security or criminal enforcement). 


Details: information collected by the CBSA will be used to make a decision that directly affects the individual 
_ (admissibility and eligibility in the TFWP/FSWP; detention, removal from Canada, and prosecution — which may 
lead to loss of freedom). Also, employers and relevant third parties (i.e. Consultants) may be investigated by 
the CBSA for alleged offences under IRPA. 
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Type of Personal Information Involved and Context Level of Risk 


Only personal information, with no contextual sensitivities, collected directly from the Wt 
individual or provided with the consent of the individual for disclosure under an authorized 


program. For example: General licensing, or renewal of travel documents or identity 
documents. 


Personal information, with no contextual sensitivities after the time of collection, provided by 
the individual with consent to also use personal information held by another source. For 
example: An application process with a requirement for independent verification of certain 
non-sensitive factual details. 


Social Insurance Number, medical, financial or other sensitive personal information and/or the x 3 
context surrounding the personal information is sensitive. Personal information of minors or 
incompetent individuals or involving a representative acting on behalf of the individual. For 

example: An individual's name on a particular list may reveal sensitive information on the 
health, financial situation, religious or lifestyle choices of that individual. 


Sensitive personal information, including detailed profiles, allegations or suspicions, bodily 
samples and/or the context surrounding the personal information is particularly sensitive. For 
example: Personal information that reveals intimate details on the health, financial situation, 
religious or lifestyle choices of the individual and which, by association, reveals similar details 
about other individuals such as relatives. 


Details: Information collected by the CBSA for administration of the TFWP/FSWP, which involves the collection 
—.. and use of information provided on LMIA, WP, and visa application forms. Also, information is collected and 
used to support criminal investigations, which often contain information/allegations that are of a sensitive or 

highly sensitive nature. 


Program or Activity Partners and Private Sector Involvement Level of Risk 


Within the CBSA (amongst one or more programs within the CBSA) 
With other federal institutions xX 2 


With other or a combination of federal/ provincial and/or municipal government(s). 


Private sector organizations or international organizations or foreign governments 


Details: Within the CBSA information will be used by BSOs, investigators, intelligence officers and analysts 
within the CIP, IEOD, and IOAD, as well as regional investigations units. Also, information will be exchanged 
- with ESDC to support administration of the TFWP by both departments. 


Information may be provided by the CBSA to federal, provincial, or territorial courts, the IRB, as well as the 
Public Prosecution Service of Canada, to support the issuance of search warrants, Production Orders, and in 
relation to criminal prosecution and removals. 
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^" Duration of the Program or Activity Level of risk 


One time program or activity E 1 
Typically invoives offering a one-time support measure in the form of a grant payment as a social support 
mechanism. 

Short-term program | ]2 
A program or activity that supports a short-term goal with an established "sunset" date. 


Long-term program 3 


Existing program that has been modified or is established with no clear "sunset". 


Details: The exchange of information is intended to be a long-term agreement with no clear sunset. 


Program Population Level of Risk 
The program affects certain employees for internal administrative purposes. 
The program affects all employees for internal administrative purposes. 


The program affects certain individuals for external administrative purposes. 


The program affects all individuals for external administrative purposes. 


Details: The information collected and used by the CBSA will affect individuals (FNs, third parties) and 

^ companies for the administrative purpose of determining eligibility for the TFWP, FSWP, IMP, admissibility to 
Canada, and compliance with the IRPA, which may result in criminal prosecution related to contraventions of 
the IRPA. 


Technology and Privacy 

6.1 Does the new or modified program or activity involve the implementation of a new electronic — DX] YES 
system, software or application program including collaborative software (or groupware) that INO 
is implemented to support the program or activity in terms of the creation, collection or 
handling of personal information? 


6.2. Does the new or modified program or activity require any modifications to IT legacy systems | | YES 
and / or services? X| NO 


6.3 Does the new or modified program or activity involve the implementation of one or more of 
the following technologies: 


6.3.1 Enhanced identification methods: YES 
This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint NO 
analysis, voice print, radio frequency identification (RFID), etc...) as well as easy pass technology, 
new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that 
are embedded with either an antenna or a contact pad that is connected to a microprocessor and a 
memory chip or only a memory chip with non-programmable logic). 


Canada Border Services Agency 
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c 6.3.2 Use of Surveillance: [X] YES 
This includes surveillance technologies such as audio/video recording devices, thermal imaging, [| NO 
recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring 


including audit trails, satellite surveillance etc. 


Details: CBSA regional criminal investigations offices conduct surveillance operations - 
in support of on-going TFWP investigations. Surveillance operations of the CBSA are - 
limited to those directly within the CBSA's border management mandate and are 
undertaken for the purpose of obtaining information. Information may be obtained 
through direct observation as well as through the use of audio and/or visual 


6.3.3 Use of automated personal information analysis, personal information matching and | | YES 
knowledge discovery techniques: X NO 
For the purposes of the Directive on PIA, CBSA is to identify those activities that involve the use of 
automated technology to analyze, create, compare, cull, identify or extract personal information 
elements. Such activities would include personal information matching, record linkage, personal 
information mining, personal information comparison, knowledge discovery, information filtering 
or analysis. Such activities involve some form of artificial intelligence and/or machine learning to 
uncover knowledge (intelligence), trends/patterns or to predict behaviour. 


Details: 


Details: The CBSA will upload data which will be administered by the ESDC. ESDC will share 
TFWP/FSWP information with the CBSA as well. The site will utilize and data 
^". will be stored for a limited time Approved user(s) will be given access codes to ESDC's 
to retrieve source files as per the ISA. 


Personal information Transmission Level of Risk 


The personal information is used within a closed system. aM 


No connections to Internet, Intranet or any other system. Circulation of hardcopy documents is controlled. 


The personal information is used in system that has connections to at least one other system. 


The personal information is transferred to a portable device or is printed. 


USB key, CD-Rom, laptop computer, any transfer of the personal information to a different medium. 


The personal information is transmitted using wireless technologies. | j4 


e ennai 
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Risk Impact to the CBSA Level of Risk 
Managerial harm. x< 1 


Processes must be reviewed, tools must be changed, change in provider / partner. 


Organizational harm. x12 


Changes to the organizational structure, changes to the organizations decision-making structure, changes to 
the distribution of responsibilities and accountabilities, changes to the program activity architecture, 
departure of employees, reallocation of HR resources. 


Financial harm. xX] 3 
Lawsuit, additional moneys required reallocation of financial resources, 


Reputation harm, embarrassment, loss of credibility. 4 


Decreased confidence by the public, elected officials under the spotlight, institution strategic outcome 


Details: Decreased confidence from the public and potential lawsuits by the public if there is a privacy breach 


of exposing personal information. A privacy breach could compromise public confidence in the CBSA, 
compromise ongoing investigations, or could jeopardize our relationship with external and international 
. partners, all of which may impact the CBSA's priorities and ultimately the Government of Canada as a whole. 


The loss of information via a privacy breach could have a reputational harm to the CBSA and ESDC, which may 
decrease public confidence in the institutions' ability to deliver its mandate and collect, use, and store personal 


Risk Impact to the Individual or Employee Level of Risk 
inconvenience. 
Reputation harm, embarrassment, 


Financial harm. 


Physical harm. 


Details: The loss of information via a privacy breach could affect individuals across all four levels of risk. The 


data that is collected and shared by the CBSA and ESDC may be highly sensitive and could result in instance of 
reputational harm and/or identity theft if a breach were to occur. In some instances, when tips are received, 


 ESDC asks the individual if he/she will be in imminent danger or risk of serious physical injury. People who fear 
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RSONAL INFORMATION ELEMENTS 


| SECTION 3 - ANALYSIS OF P 


Personal Information Elements and Sub-elements 


The various personal information elements collected by the Program fall under two broad categories, being: 


e Table 3: Personal Information Disclosed by ESDC to the CBSA The information in this table is taken verbatim from the information specified as 
being disclosed by ESDC to the CBSA in Annexes C and D of the ESDC-CBSA TFWP ISA. 


e Table 4: Personal Information Disclosed byt the CBSA to ESDC. The information i in A this table, ana the Ap il that pe this table, is 


| From: 


Internal number assigned. to identify employer in the foreign worker | 
os 


- ME ID 


| E (€ 


| "Employer CR. CRA BN. | 
_*Employer business and legal name 


ane PETENS 


*Employer mailing address, | 
including street number, city, 
province, postal code, phone 
number and fax number. 


*Employer business address (fl 
different than mailing address), P inspertions Of Bina is on the LMIA - 
including street number, city, | 

Bruder e ee 


eee M CMM MM LOVEE TT Mr E E i ee EEEE EEANN AAAA AAAA Aii E a e aa aaa a Aaa a A aa A AA A AA A A A a e e renerien., 
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aaa aaa aaa aa aa Fo A UI EIUS itii i nni ARAS S SONO PE TETE ECS DIS TITI I RII TT SSSR xe ASS P P—— M SERERE Re MAURUS 


VIVI Sue Mie PTR STEPTOE OPES AN AAA AA SA ARRAS Rant — SEN ON OOOO a PT a a aa Aa AAA AM AAA RR 


Response to prom E ox 7 cM IM MEEMMEME C MM MM EL — 
| business is a franchise, is the | 
| corporate head office aware of this | 
ME for TFWs? 


SOT HENSANUU wr geen Narr ame e M Pad I e Nu M DI vex NMDA TE TTC Ea 


‘Date unes Frs Tr To assess “the yo eis ED and oy to “fulfil the 4 terms. pnd IE ESD 
| conditions of employment 

To determine the occupation and corresponding NOC code and labour | 
shortage for that occupation 


| To esta blish n name E tu he employer for contact p pu purposes | Lu 


AE 


main business [ESD -— 


ERA RR — €—— PEPPER PEPPER 


"e calls: fax nümber and e- Ses 
| PRE 


inte sales, TE 
pe Pre ne Meee. iu the — position | 


wee neue eee tttm tmn eene nnns E EA RA A AAA ERA AR AN AA A EU EEE TETE TETE EEE EEE EEE EEE TE venu tete SOLES ETERS EE eee vere memes mem] 


3 ————— PRESE SO GG REY a ia aa 


Response to Questen: Are you 
using the services of a third-party, 
recruiter or employment agency for | 

pu purposes of hiring a TFW? 


Name of third-party, recrui iter or 
NE dL SET for the 


M ER E n — Ro —Á———————————— REPERI 


To identify the third party (third parti es are often desi designated by the | 
employer as the point of contact) 


Regi istr ration, z license. or d ur i MEN 
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| Data Elements 


— A M A S" ree E EEUU PEU Sena ums AAA RA RA AAA /———————————Ó——— P — PRODR R TR ANNAA 


| num be + 
Response dé Question: Are | you 
appointing a third-party to 
represent you in completing this 
| application. form or to provide 
| advice. in and SAUL ELA process? 


—— ———— —  —ÓP PPP AAAA AAAA AAAA EEE EEE EEE EEE TEEN EEE EEE EE TEINTE EEE CSSSS OSS ——9 LT CT TTL EAN Baa MA ABE A AMI ANA BAI ——— ————————— RÍO! 


RE ni no an nn Ame rime nm tres not E ERE RR RE RR RR RR RR RR RR NNI temm mi 


RR - to Que en | Have von ESDC CBSA 
the employer or any other third- 2 

party in connection to this job offer 
| received payment from the TFWs to | 
- secure this offer of employment? - 


rne NNI SALE 


a RAR MM MM D ME OR M — ————Ó—ÀÀ——— —————Á—M———  — —— 


somber of employees currently | To assess the genuineness of the employer and protection of the labour 
employed nationally under this CRA | market (ensure that the employer is not favouring TFWs over Canadians and 
Business number _ permanent residents). - 
Total number of employees To assess the genuineness of the. ‘employer and protection of : the labour | ESDC CBSA 
currently employed at the work | market (ensure that the employer i is not favouring TFWs over Canadians and. | 

| penna eee) 


location specified on this form ient residents]. —  ć c< 


Number of Canadians/permanent | ^ 
resident | employees at work 
| location covered bythisLMIA | 
m number of TFWs at the work 


ertiplover 


To assess the number of TEWs in Canada that are currently employed b by the | 


location specified on this form | employer 


| Response , to Question: Did you | mnm " 
| employ a TFW in the last two years, 
prior to December 31, 2013? | m 
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| Reason for which 


Pre ape rate n AR ARA nn autos ed E AA RAMAMAARARAMANAAN AI dt cite EEES x ARR KAHA AANE OOOO 


you 
provide all TFWs employed by you 
in the last two years with wages, | 
working conditions and 
| employment in an occupation that | 
were substantially the same as | 
those that were described in the 
| offer(s) of employment? 


Response to Question: Have you | 
| applied for and received a positive 
LMIA on or after December 31, 
20 13? si P ATAOE AA E EEA OTE E OOTI PETAR - oe UM PS "IRE 
Response to Question: Did you | 
| | provide all TFWs employed by you, 
on all LMIAs received on or after 
| December 31,2013, with 
i employment in the same 
| Occupation as described in the 
offer(s) of employment and with 
substantially the same wages, | 
working conditions — but not less | 
| favourable than — those set out in 


| had an LMIA revoked within the 
| previous 2 years from the date you 
submitted the application? 


Canada Border Services Agency 
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| Data Elements 


: From: 


| df yes, date and system file number 


VV Y a ra it AANA AAAAARD ANDAR AAAA ARRET SSP EEE IUe deem OTRO TOTO TOOL tete t te Kee Le S AR AA ARA III III III IIS PRÉ rne nr n NS a Eaa a BABA ABA AA AA AN AR SISTI E E STER Ae ee I NISI A RS M M A A ESAE A AA AAA AAA A AAA 


Response to Question: Were any | To ensure that the employer is not requesting a — hich a espe ^— 


employees laid off in the past 12 | Canadian was laid off and cross-referencing the employer response with ROE | 
| months? If yes, how | employer information. 
| many? Reason(s) for layoff(s) and 
occupations affected 


PER RIRE ARARR RAR ARR ARR APA AA EAE APO EOE EE ELLE SEE ECCT A AAA t LEEREN 


business receive support through | employer's Work-Sharing agreement match with the occupation(s) listed on 
any Government of Canada | the LMIA. 
program? If yes, name of program | 


Response to Question: Does your To CfOSS- reference whether Of not the occupati ions). affected | pra “the ESDC | 
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‘Job Offerinformation SS n 
|"obtitle — [| For officers to determine the. ap propri iate NOC level for the - position ion | ESDC | CBSA 
- | E requested j B 

Number of TFWs requested on this | To determine the impact on the labour market and will be used to calculate | ESDC CBSA 

joboffer — | the amount of the user fee for the LMIA. u 

*Expected duration of employment | To cross reference the duration of employment with the type of position | ESDC CBSA 

requested (i.e. Seasonal occupation would not require a 2 year employment) 
I : and verify the duration for which the work permit was issued to the TFW | 
i *Expected start date of | To verify against the start date of the work permit issued to the TFW ESDC CBSA 


employment, ifany _ 
"Location of job: Number and 
| Street, city, province and postal 
| code 

| .*Main duties of the job 


To identify and ensure the location where the work will take place (i.e. an | | ESDC. 
employer could have multiple locations for their business). | 


| | “Educational requirements of the | To assess if the TFW mine: the occupation and corresponding of the job. CIC will 
| veri d this wach the TFW v applies or a wor sremu. 


NA AA KA AAARA RAR AA RAR AA AAA AAA AAA AA AAA AA anna AAAA A a een a eren ESS EEUU EN EE RR NUE EN UNE EEEEEEERESERER EEE naa ae 2a EN naa deme A A A A A AAA RRA ROAR ORR PIII IIIS IOI IIT Pte 
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| Data Elements - | Reason for which I 
|thejob — mud a work perm m —-— PEE MN 
*Language requirements E ensure "that the 5 requirement of the job requested and | E 
advertised is either French or English or a rationale is provided for ‘other’ 
i language | P OE O E A A E. 
Wage in Canadian Dollars and | To assess whether the wages offered to the TFW are Consistent with the 
- number of work hours and. prevailing wage rate for the occupation and whether the working conditions | 
overtime hours rate _ meet generally accepted Canadian standards PENNE MM 
Response to Question: ls the ESDC 
, employment seasonal? DNE ERE MEM 
| *Benefits To assess whether the benefits offered to the TFW meet generally accepted | ESDC 
Canadian standards LLL 


To have comprehensive information on all the benefits provided, which can | 

be verified during an inspection 7 dE 
To assess if the TFW meets the certification/licensing/regi stration 
requirements of the job (CIC to verify when the TFW applies for a work 
permit) 


PPP 


*Response to Question: Are there 
provincial/terri torial/federal 
certification, licensing Or 
registration requirements of the | 
job? If yes, name of the 
certifying/licensing/registering 
DoD JY-——————— ea ee ee een NN 
Confirmation that the position. is : To verify wage(s) and benefits that apply. Where a collective bargaining ESDC 
part of a union. If yes, name of the | agreement exists, the wages and benefits listed within will be used for. 


| 
| 
| 


| Union. — PES assessment — — — "— E ——— . 
| Response to Question: Has ud mE | ESDC 
| union been consulted about hiring | | 
| a TFW? If yes, what is the position | | 
ofthe union? —^ LEE uM LLL d 


Canada Border Services Agency 


] 
TFWP ISA ww... ESDC 


| Data Elements 


Response to Question: Have you 


attempted to recruit Canadians / 
permanent residents for this job? 


Response to Question: What are 
the potential benefits to the labour 
market for offering this job to a 
TFW? 


Rationale for the job offer to TEWs 


| Response to Question: Do you plan 
|to hire or train Canadians / 
| permanent residents for the 
| position for which you are 
| requesting an opinion? 


Number dE RE 0 
| received from | 


Canadi ians/permanent residents 


Canada Border Services Agency 


| Reason for which da lement is collected, u From: 


| professional publications, recruitment drives, job fares etc.) 


| For the officer to verify whether the employment of the foreign national is | ESDC 
| likely to fill a labour shortage 


A RAA RAA AAA AAAA AAAA A ae a a e a Á— S OEEO ARIA DDR DI I DID ID III III D III DID) I III IDD IDD ID III III IIS SSSR 


| To determine whether the employer will hire or train Canadian citizens or | ESDC 


For the officer to determine if the Annie de to recruit Canadians | 
and permanent residents for the job prior to applying for an LMIA. 


| 
| CBSA | 


An employer must submit supporting documentation with the LMIA | 
application to show proof of advertising; such as, advertisements in local and 
national newspapers, recognized internet job sites, job-specific and | 


To determine whether the employment of the foreign national will or is | ESDC 
likely to resuit in the development or transfer of skills and knowledge for the 
benefit of Canadian citizens or permanent residents. 


To determine whether the employment of the foreign national will or is | 
likely to result in direct job creation or job retention for Canadian citizens or 
permanent residents 


permanent residents or has made, or has agreed to make, reasonable efforts 
to do so. 


For the officer to verify whether the employment of the foreign national w 
or is likely to result in direct job creation or job retention for Canadian | 
Sens. or a residents. 
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| Data Elements 


Number of Canadians/permanent 
resident applicants interviewed 
| Number of Canadians/permanent 
| residents offered the position 
Number of Canadians/permanent 
residents hired l 
Number of job offers declined. by | 
Canadians/permanent resident | 
applicants 
Number of Canadians/permanent | 
resident applicants who were not | 


ue for the ejos. u 


EE Ó— P —————— PEPPER ERE 


iin TUTTI IOI NE NR RUE RR RR RR RR NARRA RN AAAA iiir e o DO OE o OE OO EK IR A Ka a A al ln ASISTE TTA Ra a nana aan ann an an nan an a Ea nn nn m aa nans nnne. 


| Response to GRO Will the 
| entry of these TFWs lead to job 
| loses, now or in the foreseeable 
| future, for Canadians/permanent 
residents as a result of layoffs, 
| Outsourcing, offshoring or other 
factors related to utilizing TFWs? | 
Response to Question: Is the job. 
offer related to an activity, contract - 
or a subcontract that will facilitate - 
outsourcing or offshoring? 


PL 


Film and Entertainment Requests 


Total number of LS involved T To: ascertai in the size 2 of the project - 


HA A RADAR AAAA AA AAA AAAA AAAA AAA AAA AAAA ABAD ARR IARAAARDADA AAAI ——————————————————————————————————————————A^^—^A——————————————————————————— RR 
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À Reason for which da 


the ‘production mE Ea ee MEE ne: 
| “Type of Production To identify the type of the production to ensure that it does not contravene | SI 
| | program requirements | 


| Copy of the contract between the | To verify the terms and conditions of the employment contract to ensure | 
employer and the foreign | they meet program requirements and that they meet generally accepted 
entertainer(except for film and WI | Canadian labour standards 

| Tequeste; 


wena 


[To identity cse AV by ende | -— " D EA LU. | Dc — 


PNIS CK NO I KIC CH C OR B A A a a A PS NIIS SII PINIISNISIIS TUE €! 


Soccer, T" TE if in Ca nada and | 
immigration Status 


A the or to determine e m S immigration. status and where the 
| TFW is located in Canada 


E LA AA AL ici 


ne of code | To identify if the employer is a sole proprietor or partnership and if ‘yes’, ‘to | ESDC — | CBSA 
| determine whether or not their personal information can be shared with - | 
provinces for the provincial nominee program | 


roses mr ———————— — €————————————————  ÀÓ a 


Signature of employer and third | To validate the employer signature against the LMIA request 
party (if applicable) 
Caregiver Program 
| "Employer #1 and Employer #2 | 
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E 


| *Employer #1 and Employer #2 — emnlover when clarification of LMIA application is needed | 


| numbers 
*Employer 41 and Employer #2 b To correspond with the employer in case of inspections or questions on the 


| CO nta C t u _ 


| contact | employer 
| Caregiver Job Offer Information — 
| Number of dependents (including 


H 
i 
i 
: 
f 


Eee 
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Data Elements 


| elderly person, person with 
: | disability, chronic or terminal 


TE AE See ee n nm m a m CCE RE TR RE ER RE RERO ER EEE CE CEC EC CCC EE EE EECE EE EEE EEE EEE DIDO REDO DORBIDI DOPOD DEDEDE IBID RBA BORE DER BEDE ABBE EEE EE USENET A ETES EEE SEEN RTE ERREURS VR 


ed and/or disclosed 


Given and last names ?J.- JLO j|  - 


Work and home telephone | and to make first contact when employer is selected for an inspection 


Address: number/street/PO Box# LMIA 


*Alternate contact person (spouse, the alternate contact when unable to contact the 
common-law partner, other relative | bots 
if applicable) | 


| 
*Given and last name of alternate | “To address the alternate contact when contacting him/her | ESDC - CBSA - 


*Telephone number of alternate | To correspond with the alternate contact when unable to contact the 


era ara a a a AS A LL UE A Er ER US Sn SSA ACAI HH SI ASAIN ASAI ae EIE Nm eder. 


those that do not live in the 
household). 


Type of care required (foreign |. 
caregiver must provide care for at 
least one designated individual) BN | | 
Relationship of the employer to | To assess a genuine need for a caregiver ESDC | CBSA | 

individual receiving care (i.e., child, | 


| illness) 


| Calculation of the financial abi lity of | To assess the ability of the employer to pay the caregiver | ESDC | CBSA 
| the employer - 


OR RAR BR RAIN " 
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| Data Elements > i i Reason for which. 


Will accommodation be A at | To assess the living ne TE Sof the caregiver 
| no charge? (attestation applies only 
| if the caregiver will live and work in 


| the same private household) — l | 


; Seasonal AE Worker Program NENNEN 


Mti DADRA EAS PE YS AAAS AEAEE AAA DEDE M a a aa a a a ARAARA A AAAA ARANAN AAAA ADA ANAA AARAA AAAA RAAE R A A AAAA aE AAAA aA AA n AAAA AA A A x MEEEMMMM 


worker Capea | Voies Ed omui to re year 
e This year 
e  Lastyeat — — 
| Total # of foreign agricultural For the officer to determine if there is an increase in the number of foreign 
| worker requested: workers requested compared to last year | 
e This year | | 
e lastyear — ^ o ooo 
If the requested number of workers 
is different from last year/season, 
please explain: 
List crops/commodities, “acreage, 
and memes harvested 


NCTE aa ia a denne, 


| For the officer to determine if the change in the employer's labour needs is 
| reasonable. | 


————————————————————À 


i To determine the type of housing provided {on-farm or off-site) and the | ESDC | CBSA 
| | weekly or monthly accommodations deductions. This can be verified during 
lan employer inspection. 


0 If housing is provided, employers. must | provide i proof that on-farm and/or | d ESDC CBSA 
off-site housing has been inspected by the appropriate | 
provincial/territorial/municipal body or by an authorized private inspector. A | 
negative LMIA may be issued if the employer does not provide: i) proof that 

É— [the on-farm and/or off-site housing has been inspected, ii) a copy of the|— h— .— .] —  — 
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sed Landari disclosed 


Data Elements Reason for v which Y 


Check one: 
Direct arrival, direct replacement, | 

double arrival, double transfer, 

| replacement transfer, double 
| arrival, transfer MEN 
Schedule A: SELLE ofa Third- Party Representative 


ST UT ar 


Legal N Name —— —— = —— —  — 
Third-Party IDE E = num abe DM hird party in the FWS — — —  |ESDC | CBSA 


Mailing Address. including. street | For correspondence with the third party on LMIA decisions and inspections | |ESDC- 
number, city, province, postal code, 
phone number and fax number. 


LOTTA —————————— ———————————— ERR 


Business Address including street | Secondary contact information to correspond with the third party in case of | FSDC 
number, city, province, postal code, | inspections or questions on the LMIA. | 
phone number and fax number. — 


Main activity of the business | | For officers to determine whether or not the services provided by the third | 
party are legitimate. 


To verify that the third parties charging a fee for support with the LMIA | ESDC 
application process are authorized and are one of the following: 
e lawyers and paralegals who are members in good standing of a 
Canadian provincial or territorial law society 
e Notaries who are members in good standing of the Chambre des 
notaires du Québec, and 
Immigration consultants who are members in good standing of the 
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Canada Border Services Agency 


| Job T Title n : È Tob ti title a associ jated with third party point ofc contact ESDC | CBSA 


| representative is unpaid and: 


Canada Border Services Agency 


TEWP ISA. VESDC J | PIA 


SPOT RPDS ADI s PEE Re pu E RENE ER pes DOPOD. A RARES ERA AS orne E A KA RIR HAN ARR A RAR AAAA AAAA AAAA AARAA LA REA LA RAR AA RAR SARA LA RAA AA LA RAA LA AARA —— MR RR AAA AAC ——————OAPPPPEOEORRI ES EEUPU OP ——  ———— RSS EEE SRE RENE ERO IOI S IIR LR 


| Data Elements | Reason for which data element i is collected, used uiis disclosed From: To: 


————— ——— — TE —————————————————————————— M is Rn ee EE NK ERREUR MK REECE Tea Te CET A UNA GE E UA RADIO À DS D II DI IIS IDD III III II III III ITS. 


Telephone Number | To contact the third party when clarification of LMIA application is needed ESDC — | CBSA | 
Fax Number LLL | To mail the LMIA confirmation letter and corresponding annex — —  ć ESDC CBSA | 
Email Address A secondary point of contact for the third party if unable to reach by other | ESDC CBSA | 


e means RARER RESO ET TET UT UM RAA UON TEENE ITI NS SET AAIE AEE EESE SONO 


Preferred Language of. To ensure that correspondence with third. party is in the correct langua ESDC CBSA 
Correspondente | 


| Name of Employer Business | | m BEN MEN FSDC ! CBSA 


Response to Question: The | 


e que =a Reno Eepe —  |CBSA 
| representative is, has been or will | 

be paid and is a member of good 

- ng of: 


3 
| 
H 


A ——---—«—«-—AA^LàOPOP———————eSeSeeeee———OÁRRPRRRREREREPPRPPPPPPPPREI 


Telephone Rug eee pem uM | __[ESDC — 
Alternate Telephone Number 


E-mail Address À 
Fax number PS NEMINEM | ESDC 
Name of Employer Applying for the | ESDC 


LMIA 


| System File Number NE. (S—: ESOC — 
Response to Question: Will the] SE 


CBSA - Released under the Access to Information Act. 


ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


———————————————————————— A a ae SESS 


Canada Border Services Agency 


TFWP ISA w... ESDC P PIA 


Data Elements 


ed: and/ or r disclosed - 


 ——Ó—— ——— ———  À AAA 


entry of TFWs lead to UE loses, 
now or in the foreseeable future, 
for Canadians and/or permanent | 
residents as a result of lay-offs, 
outsourcing, offshoring or other 
| factors related to the utilizing | 
ETS? LL : 
| Response to Question: Does this 
contract or a subcontract facilitate | 
outsourci ng or A AN 


ERPAT —(( ERE 


mm————————ÓÁX—————— — RR 


| Business Name 


— ere oe E: ———————————————— aa cree 


| Buse. AREE TENES street 
number c RE province, Boom code 


Number of mM d on 
| the LMIA application alk 
| Number of Canadi an/permanent 
resident employees currently 
employed in the occupation at the 
| work location a a 

| Number of foreign workers | 
| Pise. — bi the 


nan nn nn en RSR DSP DD DIS BTS AAAA SSSR PPS 0 RIANA ARAARA ARARA RA E EP EEE SCOOTER annon ccc EEE AEE EAE 


NOON NAC a aa ain A II I T TT TTD e 


CBSA - Released under the Access to Information Act. 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


TFWP ISA w.… ÆSDC / PIA 


. | 


Data Elements 
| Total number if employees 
| currently employed at the work 
location specified on the LMIA 
application | -— . | — — | 
Number of employees currently | ME JEJE ESDC CBSA | 
| employed nationally under this CRA 
| Seasonal Occupation, if yes, peak 


| employment season and total 
Ro cere - " — ———— EN setae 
| completed a Transition Plan for this 
occupation at this work location 
| before? If yes, did the number of | | 
TFWs decrease relative to the | | 
| number of Canadians/permanent 
| resident workers for this 
occupation at this location as a 
result of activities conducted in the 
Transition Plan. — - (dL 
Description of planned activities — 


Results of planned activities — | 7 ——— 
Actual results of activities — . mm—— — — — | 
Milestones/benchmarks for | EE 

— proposed and actual] ss mE 


Canada Border Services Agency 


Canada Border Services Agency 


TFWP ISA wi... ESDC / PIA 


L Data jm | | Reason for which da 


i est m ~ eT aaa 
e Total number of applicants | 
e Total number of applicant 
interviewed 
e Total number of positions 
offered 
e toral number of applicants 
For "m activity, ‘rational for not ational for not) | ESDQ 


hiring Canadians/permanent 
resident candidates 


| 


Foreign Caregiver Specific Genuineness Documents - data elements used for the genuineness assessments are listed below each 
document. While other data elements may exist on the document, employers are asked to redact all unnecessary information when 
Submitting them as they are not used as part of the assessment. MERKEN 

Pay Stub of applicant Pay stubs are required to provide proof of salary. They indicate the weekly or 
| Personal information elements | yearly income and therefore contribute to substantiate the employer's 


required (all other elements | financial situation. 


redacted): | | 
® Name of ER hiring caregiver | Applicants will be asked to submit 3 pay stubs from 3 different pay periods | | 
e Remuneration paid | throughout a 12-month period. | | 
| Employer confirmation of salary - |n absence of paystubs, applicants can submit a letter from their employer | .ESDC CBSA 


indicating their current salary and the number of years of service for said 
employer. — 1 | 
In absence of paystubs or employer confirmati on, applicants can provide a | | ESD 


| | Confirmation of ability to pay from 


| bank or notary | etter from their bank or notary indicating their ability to pay the salary | __ 


IRR A NR AN AR A AA AA AN I AA RARO ARA NA N EIN S T T er eee 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act. 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


TFWP ISA w... ESDC i PIA 


Data. Elements 


— ——————————— M PÉÓPP PEPPER EEEE — MNA NAA AAAA AAAA ———————— 


| Medical Disability Certificate 
Personal information elements | as the person medi ing care in the LMIA is a s disabled + person, “thas confirming 
required (all other | elements | the need for "care of a disabled person" category. Consent to release 
redacted): personal information from the person receiving care will be included on this | 

e Name of disabled person certificate. 

€ Address of disabled person 

e Confirmation of Disability 


| Old | Old Age Security Card i | OAS card will provide evidence that the individual in need of care is a senior | ESDC | CBSA . 
Personal information elements | person. OAS card does not provide age, but is issued as per rigorous process 
required (oll other elements | insuring applicant is over 65 years or older. OAS is a good alternative to an | 


| redacted): unavailable birth certificate. 

. * Name  — 
Passport (Senior Citizen) 

Personal information elements 


required (all other elements 


PE ne NNN NNR SEC iin 


Passport provides evidence of date of birth and name, thus confirming the | ESDC — | 
need for care for the "senior home support care" category. . Can be | 
requested as an alternative to birth certificate, but for senior people only. 


redacted): Name: to cross-reference with information provided in  LMIA 
| * Name application/TFW System 


e Date of birth | Date of birth: will provide evidence that the individual(s) in need of care 


| is/are a senior person(s). 


Form Birth = Certificate | Long- -form Birth Certificate provi ides evidence of date of birth, names of the | | ESDC 
(Mandatory for child, accepted for | child and of the parent(s), thus confirming need for care for the "child care" 
Senior citizen as proof of age) category. 
| Personal information elements | Parent's Name(s}: to cross-reference with information provided in LMIA 
required (all other elements | application/TFW System. Parent's name(s) on Birth Certificate must be same 


redacted): as Employer's name(s). 
| © Name (last, given names) | _| Child's name and date of birth: will provide evidence that the individual(s) in 


MD SS 


CBSA - Released under the Access to Information Act. 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


TFWP ISA Wiss ESDC : | PIA 


Foreign Birth Certificate (certified | Foreign Birth Certificate should be provided in the absence of a Long-Form 
translation required if birth | Birth Certificate (e.g., child of permanent resident/immigrant families born | 
certificate not in English or French) | in the country of origin). It provides evidence of date of birth, names of the 

|! Personal information elements | child and of the parent(s), thus confirming need for care for the "child care" | 
required {all other elements | category. | 

redacted): Parent's Name(s): to cross-reference with information provided in LMIA | 

e Name application/TFW System. Parent's name(s) on Birth Certificate must be same 

e Date of birth as Employer's name(s}. 

e Parent’s name(s) | Child's name and date of birth: will provide evidence that the individual(s) in 


x 


Adoption Certificate of Child provides evidence of date of birth, names 
Personal information elements | child and of the adoptive parent(s), thus confirming need for care for the 
| required (all other elements | “child care" category. Alternative document to confirm need for child care in 
redacted): absence of a Long Form birth certificate. 
e Name | Parent's Name(s): to cross-reference with information provided in LMIA 
e Date of birth | application/TFW System. Parent’s name(s) on the Adoption Certificate must 
e Adoptive parent's name(s} be same as Employer's name(s). 


e Proof of Guardianship Child's name and date of birth: will provide evidence that the individual in 


.ESDC 


Personal information elements | 
required {alf other elements | 
redacted): 

e name of employer 
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Canada Border Services Agency 


| TEWP ISA Wi ESDC / | piä 
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| Data Elements 


From: 


AR AAARABA NS RSS RUNE RAMS NN RA RR AA AR ARN AN AAN III III III III III III III III AM RA ARA RAM A AA vue À — eeir 


Reason for which 


e line 150 - . Total i income of 
employer 


E Business Licence. | This d ocument, hen required, is the best tool to assist officers in assessing .ESDC | CBSA 
Personal information elements | whether the employer is actively engaged in the business in respect of which | 
required {ail other elements | the offer is made and is not always required to support the LMIA application. | 


redacted): The notable exceptions are new employers to the program, or employers | 
e Employer/business name that have risk factors, such as credible media complaints or past Labour 
e Employer address Market Opinion (LMIA) refusals for genuineness and employer compliance | 
e Description of business | reviews (ECRs). | 


activities permitted pursuant | À typical business licence will identify an employer's business location, the 
to business license | type of activities that are authorized and will corroborate that an employer | 
| is actively engaged in the business with respect of which the job offer has | 
been made. 
| 


Rationale for required data p 


T PETT on | the CUTE /in the SEN one avaflsble in the | 
public domain in order to substantiate consistency in the active engagement 
of their business. 


. T2 Schedule 125 Income Statement | The T2-125 schedule will provide evidence that the ‘employer generates IE 
Information revenue and is therefore actively engaged in providing goods and/or services | 
| 
| 


Personal information elements | in Canada. 
required {alf other elements | This CRA information is only requested in circumstances where an officer 


| redacted): | needs to verify the genuineness of an employer's job offer due to risk | | 
: —  — 1 factors,” „including crec : lible medi uw re [o or past LMIA refusals for | d 


Canada Border Services Agency 


TEWP ISA wi. ESDC 


Data Elements 


name) 

e CRA business number 

e Tax year-end 

e Operating name 

e Description of the operations 

e Business income and expense 
information 

e Employer Address 


Information. 
| Personal information elements | 


redacted): 
e Name of corporation (business 
name) 


e CRA business number 

€ Tax year-end 

e Net income (assets, liabilities, 
shareholder equity and 
retained earnings) 

e Employer Address 


Canada Border Services Agency 


Name of corporation (business 


| T2 Schedule 100 Balance Sheet | | 


| required (all other elements | 


Reason for which data element i is collect 


genuineness. 


Rationale for required data points: 
Employer business number, name, description and address — to cross 
reference with information provided on the application / in the system, to 


su a bd ARA in the active eng sente of their business. 


: JUNI nie revenue ED provi siding HU pru services n 


therefore can be used to satisfy the officer that the employer is actively | 
engaged in their business. | 


—Á— A AAA MI D I MEE RR RR E RR E AA AA A A AA AR AI RII EEE EDD SA 


This T2 — schedule 100 balance will provide evidence that the employer 
generates revenue and is therefore actively engaged in providing goods. 
| and/or services in Canada. | 
The CRA information is only requested in circumstances where an officer 
needs to verify the genuineness of an employer's job offer due to risk 
factors, including credible media reports or past LMIA refusals for | 
genuineness and ECRs. 


Rationale for ue data pom 


on thé me cation / in the system, to substantiate ee in the activa | 
engagement of their business. 


TENN ARR EA ARR RAR ARR RARE S Ra aa a AAA ARR AM RARE PR UP APP PPP PP PT TP TT A ii iin m T EO ETO TESTE STE SEEDS SESS RR ER A NE EE eR 


EM 
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| Data Elements 


——— tttm tme E ————— ——— J€—— ERRARE 


| Workers' Compensation. Clearance | "Phe . awerker's compensation ‘clearance letter will corroborate that an 
| Letter employer is reasonably able to fulfill the working conditions that are 
i consistent with Canadian standards and the terms outlined in the LMIA. D 
| WRAPA Certificate (Mani toba) | The WRAPA Certificate will corroborate that an employer (or recruiter if | ES 
| Employer tombstone : registration with province is required) is in good standing with respect to | 
information | employment (or recruitment) legislation in the Manitoba. 
e 3rd party information | 


Annex to the. appointment of | 
representative form (ESDC EMP 
5520} 


All third parties charging a fee for support with the LMIA application process | E 
must be authorized and be one of the following: 
e lawyers and paralegals who are members in good standing of a 


Personal information elements | Canadian provincial or territorial law society 
required {all other elements e Notaries who are members in good standing of the Chambre des 
redacted): notaires du Québec, and 
e Surname | e immigration consultants who are members in good standing of the 
e Given name(s} immigration Consultants of Canada Regulatory Council 
e Business name Rationale for d usa data points: 
e Signature of the employer | Business name, employer signature and name of representative 


e Name of representative | The re on the form confirm whether the 3™ party representative is | 
e Signature of the representative authorized and if the employer has consented to being represented by that | 
third party. 


[T2 Schedule 125 Income Statement | The T2-125 schedule will | provide evidence that the employer generates 
information | revenue and is therefore actively engaged in providing goods and/or services 
Personal information elements | in Canada. 

required (all other elements | This CRA information is only requested in circumstances where an officer 


mtem teh t tt Ie eto wm —————Á———ÉÓUURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRER 


Minn tmn nii E ————————————AAA————AA—AA—AA—A—A—AAA———-A—-——€^—^—^———«— REA 


ARR APR PPP PAPA MEAM AM M ATI etti rrr irn eme TIS AA A A A m NOR E ALIA 


CBSA - Released under the Access to Information Act. 


ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


TFWP ISAs ./ESDC 


re Tor a — 
e Name of corporation {business 
name) 
e CRA business number 
e Tax year-end Rationale for required data ada 
Employer business number, 


factors, pu eredlible: media reports or Bist LMIA refusals 2M 
| genuineness. | 


e Operating name 


e Business income and expense | SUbStantiate consistency in the active engagement of their business. | 
come, tax year end and expense information — evidence that the | 


Business in 


information 
e Employer Address 


employer generates revenue by providing goods and/or services and | 
therefore can be used to satisfy the officer that the employer is actively 
engaged in their business. 


| Federal Skilled Worker Program — E 
| T2 schedule 100 and 125 


Personal information elements | employers as they are usually returning in a different tax year). 
required (all other | elements | | 

redacted): The T2 schedules 100 and 125 will allow an Officer to determine financial | 
ability to pay the wage). 


+ name of employer, 

s BN # of employer, 

e Schedule 100 line 3849 
Retained earnings 


Schedule 125 line 9999 Net Income 
- Total income of employer (that 
will allow an Officer to determine | 
Jinancial ability to pay. 


LCRA PD7A — | 


SOOT ESSN CETTE COUN ANNA a aae am ARR RARE PRE PRES OOOO ESTEE ATT mamme mm EEE ttem S SAP MARIAM EEE EEE EEE ee aia e eie ea a 2222 AAA rr A A OEC AA EEA espe nee UU a UU n UU UM rrt mmm nett AAA 


Canada Border Services Agency 


The T2 schedules are collected each time new employers and returning ESDC 


PIA 


| 
e Description of the operations | reference with information DIGNE on the application mu in thé systern, ib | 


Canada Border Services Agency 


TFWP ISA Wisi ESDC i 2 io 


r information EE 
required {all other | elements 


ET The CRA ec busi — — sr ME 
they submit their next annual tax. Also, to make sure the employment is not 


redacted): seasonal. 
e Business number | 
e Employer name The business number, employer name and address are cross referenced with | 


the information submitted on the LMIA application ~ to verify the | 
information pertains to the same employer. 


e Number of employees in 
last pay period 

| End of remitting period for which | 

|! deductions where withheld. | The number of employees on the last pay period is to provide proof that the 

employer is | iS pay ing ss 


Paid 
Personal information elements 
required (all other elements 
| redacted): 
e Employer Account Number 
e Employer Name and 
Address 
Total Number of 14 Slips 


and is therefore actively phased in -neoviding inn and/ót services in | 
Canada. 


Rauna for required data ee 


on the Se eee IT in thes Nan to ssulistaatiata consistency: in ‘the active | 
engagement of their business. 


Financial information — evidence that the employer generates revenue for | 
the purpose of oA NEA. that bad are pan die Provides an 


12125 | [The 12125 will provi ide evi dente that the er quw Benorates: revenue and is 
Personal information elements | therefore actively engaged in providing goods and/or services in Canada. 


| required {all other elements 
redacted): This CRA information is only requested for Sole proprietorship in lieu of T2 
o _Name of of corporation. NEM RL 100 and 125 in circumstances Wnere nec needs to o verity mer __ m" 


JFWPISAw. ,ESDC 


Data Elements 


(business name). 

e CRA business number | 

e Fiscal Period 

e Operating name 

* Description of the 
operations 

e Business income and 
expense information 

e Employer Address 

e Product or Service 

e Industry Code 


Transition Plan 
Payroll statements 
Personal information elements 
required {all other elements 
| redacted): 
TFWs and  Canadian/permanent 
residents 

e employee name 

e employee number 

è wage 

® deductions 

€ hours of work 

e hourly wage 

e benefits 

e first three numbers of the 


Canada Border Services Agency 


| Reason for which 


| For ESDC to determine if an employer followed through on their 


| PR workforce (evident with the first three numbers of a SIN). 


| substantiate consistency in the active engagement of their business. 


engaged | in their business. 


l PIA 


sed and/or disclosed 


genuineness ofan ao $ job ofer due to ri isk factors, including credible 
media reports or past LMIA refusals for genuineness. 


os for required data points: | 
mplover business number, name, description and address — to cross | 


mein with information provided on the application / in the system, to 


Business income, tax year end and expense information — evidence that the 
employer generates revenue by providing goods and/or services and 
therefore can be used to satisfy the officer that the employer is actively | 


DA aia aan PLATELET IOC 


| ESDC 
commitments through the transition plan requirements. The payroll data | | 


elements are critical in assessing an employer's transition to a Canadian and/ 


It is also used for the assessment of whether or not the employer followed 
through on commitments to increase wages, provide additional benefits and | 
offer flexible hours. : 


| Personal | information elements | 


Travel itinerary/Invoices 


| redacted): 


| redacted): "submitted with a signed letter of consent from the individual to whom the 
| 
| 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act. 


ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


TEWP ISA v... ESDC i PIA 


To a 
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Timesheets | Timesheets are used in combination with payroll statements to determine | ESDC CBSA | 
| whether the employer followed through on commitments to offer flexible 
required {all other elements | hours. | 
redacted): 
e employee name 
e employee number 
e hours of work C NOCERE ONERE RC RNC HERREN RR REM. TI 
For ESDC to determine if an employer followed through on commitments to | ESDC CBSA 
relocated Canadians/PRs for employment. The travel itinerary/invoices assist 
in substantiating that the employer paid for transportation. 
*submitted with a signed letter of consent from the individual to whom the 
*  traveller's name travel itinerary/invoice belong. | 
e point of origin 
e destination 
e travel date 
e copy/proof of payment of 
transportation costs 


Invoices (ongoing X advertising, For ESDC to verify start and end date of advertisement to ensure that 
participation at job fairs employers have followed through advertising commitments and to verify 
Personal information elements | that the employer attended a job fair (in particular, where the employer | 
required (all other elements | committed to attending multiple job fairs) 


Personal information elements | 
required (all other | elements 


CBSA 


e authorized purchasers 
name 


| invoices belong. 


TFWP ISA w.... ESDC ; : PIA 
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| Data Elements 


| e dates. 
Employment - Contract/Letter - P of | For ESDC to verify - that the employer - followed - through on their ESDC 

| Offer commitments to transition to Canadian/PR workforce and their commitment | 
| Personal information elements | to providing any of the following as incentives: 
| required (all other elements | e increase wages offered 
| redacted): e part-time or other flex-time/shift work options 

e employer contact | e  bursaries/scholarships 

information: business | e financial support for relocation 


name, surname and given 
name, address, phone 
number, fax number and 
email address 

e employee contact 
information: surname and 
given name, home address, 
phone number, fax number 
and email address 

e duration of contract 

e job description 

e work schedule (hours) 

e wages and deductions 

e  bursaries/scholarships 

e relocation costs 


training opportunitie g | 7 a n - ] Zn 


"Empl loyer Compliance 


| e training programs | 
| “submitted with a signed letter of consent from the individual to whom the | 
| employment contract or letter of offer belong. 


E 


| | Employer Compliance. For the purpose of the CBSA investigating any other alleged non-compliance | ESDC CBSA 
Review (ECR}) Results: | with the IRPA | 


AA TARA AARAN A ARR PP 0 aa AARAA AAAA RAA AA AAAA AAAA AAAA E PL à Pe 
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ERR 


TFWP ISA v... /ESDC 


1 
1 
1 
E 
4 
4 


e 


g 


e 


& 


& 


e 


employer name 
contact information 
job title, occupation 
and NOC codes 
results of findings, 
including areas of non- 
compliance and 
associated corrective 
actions to be 
undertaken 

findings of non- 
compliance 


_® ECR period — 
Inspection 

Conditions of the LMIA 
confirmation . 


employer name and 
contact information 
job title, occupation 
and NOC codes 

results of findings, 
including areas of non- 
compliance and 


Canada Border Services Agency 


Working Conditions (WOW) 
of the LMIA confirmation 


Results: 


with the IRPA 


| 


Re 


TFWP ISA w.....'ESDC 2004 PIA 
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Data Elements 


1 
1 


undertaken 

e findings of non- 
compliance 
inspection or review 
period 


employer name and contact 
information 

job title, occupation and NOC 
codes 

type of instruction ordered 
date of decision 


Upon request, or on its own initiative, as appropriate, the CBSA may disclose the following information to ESDC for the purposes of assessing requests 
for LMIAs, reviewing such opinions or carrying out an inspection under the IRPR: 


e information related to employers who have submitted an application under the TFWP/FSWP and for which charges have been laid as 
well as when convictions are rendered 
e aggregate and non-case specific statistical information on TFWP-related criminal investigations 


excluding the disclosure of case-specific information pertaining to ongoing criminal investigations 
e convictions under the IRPA of employers who requested or received an LMIA 


Canada Border Services Agency 


TFWP ISA M. ESDC - ^ - PIA 


e information received by the CBSA, including tips from third parties, that may not warrant criminal investigation and would instead be 
more appropriately addressed through regulatory actions by ESDC 


Furthermore, the CBSA will endeavour to inform ESDC prior to undertaking public communications activities related to a TFWP-related criminal 
investigation. Table 4 reflects the criminal charges/convictions information which will be shared with ESDC: 


Data El ements | 


IY help. assess. queue for LMIAs, review en opinions Of carry out an 
inspection under the IRPR 


PATEE POS OPT AENT ERTI DOE NN III TS de 


) (of Subject) 


To help assess requests for LMIASs, review such opinions or Carry out an | | CBSA ESDC 
inspection under the IRPR | 


| Given name(s) 


| To help assess requests for LMIAs, review such opinions or carry out an | CBSA  |ESDC . 
[inspection under the IRPR — — — ENS MINA 
To help assess requests for LMIAs, review such opinions or. carry out an | CBSA ESDC 


inspection under the IRPR u : 
| To help assess requests for LMIAs, review such opinions or Carry out an | 
inspection under the IRPR 


mmn E ——————————————————ÉÁÓÁÓÁÁÁÁ —— 


E To help assess requests for LMIAs, review such opini ons or “carry out an | CBSA 
inspection under the IRPR 


To help assess requests for LMIAs, | review such opinions or carry out an | 
inspection under the IRPR 


7 Business Name (if applicable) 


4 
B 
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| SECTION 4 - FLOW OF PERSONAL INFORMATION 


4.1 Data Flow Model - Diagram 


The management, administration and enforcement of the TFWP and FSWP are complex and the 
processes for collection, use and disclosure of personal information differ across the government 
departments and agencies. For the CBSA, the following four areas utilize TFWP/FSWP personal 
information: 


Border Services Officers (BSOs}: BSOs gather information from a variety of sources to determine the 
eligibility and admissibility of the FN, including the WP application, Letter of Introduction, GCMS-FWS 
interface, other information systems, and directly from the FN at the POE. 


Criminal Investigators (Cls): Investigators working in the Regional Criminal Investigations Units (CIU) 
and headquarters Criminal Investigations Program (CIP) of the CBSA receive information from ESDC and 
CIC (and other sources) regarding potential unlawful activity of employers and/or FNs within the 
TFWP/FSWP. Information received from ESDC for TFWP/FSWP investigations may include personal 
information of FNs, employees of the company, and other personal information. 


Inland Enforcement Officers/Intelligence Analysts (IAs): Officers of the Inland Enforcement Operations 
Division (IEOD) are responsible for investigating cases and presenting evidence before the IRB, which 
may lead to the detention and/or removal of the FN. For the TFWP, the most common investigations are 
of individuals who are not working at the location where the WP mandates, FNs remaining in Canada 
past the time permitted on WP, and other similar allegations related to the TFW. 


Intelligence Officers (lOs): The Intelligence Operations and Analysis Directorate (IOAD), and regional 
intelligence units, provide intelligence support to the CBSA and partner operations. They collect 
information for use by pertinent staff; most notably BSOs and investigators from CIP and IEOD. 


All four of the above groups may request and use ESDC information. In terms of disclosure of 
information to | ESDC, CIP and dus QR Criminal | eset Unit staff are the PUR to share 


instances. 


BSOs are highly unlikely to disclose information to ESDC as they are interested in receiving information 
from ESDC to support the examination of FNs at the border. Any information BSOs obtained that could 
be shared with ESDC would likely be shared by the CIP, Regional Criminal Investigations Unit or IEOD. 


IOAD and regional intelligence units may disclose information to ESDC but it is unlikely as IOAD and 


regional intelligence disclosures are almost entirely to CBSA enforcement programs and various Joint 
Task Forces. 
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s of this section the following legend applies: 


Start of Process (SOP) 
or End of Process {EOP} 


A white shading indicates a process/step completed by the CBSA 


A gray shading indicates a process/step completed by ESDC 


An orange shading indicates a process/step completed by CIC 


A blue shading indicates a process/step completed by the FN 


A yellow shading indicates a process/step completed by the Employer 
y a é p d y 


À green shading indicates a process/step completed by an Individual 
(general public) 


The work flows described in this section are as follows: 


BWN 


Determine Eligibility and Admissibility of FW at POE 
Request and Receive Tip Line Information (ESDC Disclosure to CBSA) 
Receipt of Information After an Employer Compliance Review and/or Inspection 


Public Interest Disclosure 


F 


In addition to these work flows, the CIP, Regional CIU, IEOD and IOAD may request case-specific 
information in accordance with the ISA. These requests are handled by ESDC on a case-by-case basis, 
will be assessed in the same manner as described in Section 4.3, and will be shared (if applicable) 


4.2 Determine Eligibility and Admissibility of FW at POE 
As reflected in Section A of the Introduction to this PIA, a prospective FN worker may be required to 
obtain an LMIA and/or a WP, and a visa depending on various factors. This section provides the work 
flow that employers must follow when seeking to hire a FN to work in Canada. 
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formation 


The work flow described below is supported by Figures 2 and 3 which reflect visual depictions of the 
various requirements and the work flow. Figure 2 provides a swim lane diagram reflective of the 


possible requirements for a FN to work in Canada. Figure 3 reflects a work flow under the assumption 


that the FN requires a WP, an LMIA, and a visa. 


The description below follows the work flow provided in Figure 3. 


In this RSEN the rinse ee the aPDrO rE LMIA Application and submits it to ESDC. The type 
of application completed by the employer varies based on the type of work to be performed. The 
various types and links to the related forms are found below, while the application for higher-skilled 
workers is also attached to this PIA as Annex D: 


a High eee and Low-wage Positions (also attached to this PIA as Annex D): 


Once the application is completed, the employer submits it to ESDC for consideration and Step 2 2.0 is 
triggered. 


Step 2.0: Assess IMIA Application (ESDC) 


Step 3.0: Provide LMIA to Employer (ESDC) 


in Step 2.0, the LMIA application is reviewed by ESDC against the relevant sections of IRPR (section 82, 
203 and 209). The LMIA is used to determine whether the employment of a FN is likely to have a 
positive or negative effect on the Canadian labour market. In Step 3.0, the employer is informed of 
ESDC's opinion regarding the LMIA. If the LMIA supports the FN working in Canada, the employer is 
notified and Step 4.0 is triggered. 


Step 4.0: Provide LMIA Confirmation Letter to FN (Employer 


In c-r 4. 0, the b P aa e the FN with the annex (to the iM IA Confirmation Letter, which the FN 


decis sion; employers sometimes cases to provide the letter to the M 


in the assumed scenario for this work flow, once the LMIA Confirmation Letter annex is provided to the 
FN, the FN may apply for his/her visa and WP. These steps are done in parallel. For the purposes of 
Figure 3, Steps 5.0 and 8.0 are done simultaneously, as are CIC's assessments at Steps 6.0 and 9.0. 


Step 5.0: Apply for Work Permit (FN) 


In this step, the FN completes the WP Application, as well as any accompanying forms, and submits 
them to CIC for an assessment. The WP application form is attached to this PIA as Annex F, but can also 
be found c at the following hyperlink: 
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Once submitted to CIC, Step 6.0 is triggered. 


Step 6.0: Assess WP Application (CIC) 


Step 7.0; Issue "Letter of Introduction" (CIC) 
In Step 6.0, the WP Application, and any accompanying forms or documents, are reviewed and assessed 
by CIC. If the WP Application is approved, the FN is provided a "Letter of Introduction" (Step 7.0). As 
stated earlier in this PIA, the letter is not the WP. The official WP document is only issued by CBSA at the 
POE after the FN has been determined eligible to work in Canada and the CBSA has determined the EN 


to be admissible to enter Canada. 


Once the Letter of Introduction is provided to the FN, Step 8.0 is triggered. 


Step 8.0: Ai 


step. ly for Temporary Resident Visa-TRV (EN) 
in this step, the FN completes the Temporary Resident Visa (TRV) application, any accompanying forms, 
and submits them to CIC for an assessment. The TRV application form can be found here and is also 


attached to this PIA as Annex G: 


Once submitted to CIC, Step 9.0 is triggered. 


TRV Application (CIC) 


Step 10.0: 


Issue TRV (CIC) 


step 11.0: Travel to Canada (FN) 


Step 12.0: Assess FN for admissibility, including TEW requirements (CBSA) 
In Step 9.0, the TRV Application, and any accompanying forms or documents, are reviewed and assessed 
by CIC. if the TRV Application is approved, the visa, which is an official counterfoil document issued by a 
CIC visa office abroad, is placed in the FN’s passport to show that he or she has met the requirements 
for admission to Canada as a temporary resident (Step 10.0). 


in the scenario presented in this work flow, once the FN has his/her “Letter of Introduction” (Step 7.0} 
and TRV (Step 10.0), he or she is ready for travel to Canada (Step 11.0). 
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At Step 12.0, upon arriving at a POE, the FN is assessed by the CBSA for admissibility to enter Canada 
and for eligibility to work in Canada. To determine eligibility under the TFWP, the BSO will access GCMS 
(FOSS in some areas until FOSS is decommissioned) which will allow view only access to ESDC's FWS 
data. The type of personal information the BSO is permitted to view is limited to the LMIA Application 
and resulting decisions by ESDC (see Steps 1.0 and 2.0). 


If the BSO is satisfied that the FN meets the eligibility and admissibility criteria, a WP is issued and the 
FN is permitted entry to Canada. If there are issues regarding customs seizures or admissibility issues, 


data may be entered into the ICES. 


Note: For visa-exempt foreign nationals, the CBSA assesses the WP application at the POE and issues the 
WP, if eligibility and admissibility criteria are met. 
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4.3 Request and Receive Tip Line Information (ESDC Disclosure to CBSA} 


In spring 2014, amidst several cases of alleged mistreatment of FNs and violations of the TFWP by some 
employers, ESDC sought avenues for FNs and concerned individuals to provide information regarding 
potential abuse of the TFWP by employers or individuals, to the federal government. Therefore, in 
contact ESDC via ‘telephone (voicemail only) or a web form 
(http://www.servicecanada.gc.ca/eng/about/integrity/tfwo/reporting.shtml). The individual is informed 
on the voicemail and the web form that it is their option to remain anonymous or provide name and 
contact information. 


The OFRT provides proper notice and consent to individuals before they provide information via the 
online tool. Annex H to this PIA details the information provided to an individual before they submit 
information via the web form. 


The tip information is maintained and tracked by ESDC's Service Canada’s Integrity Services Branch (ISB) 
in an ESDC SharePoint site. The information is not stored in the FWS. The voicemails are listened to and 
transcribed verbatim into a document that is stored in SharePoint. Web form data is also stored on the 
SharePoint site and is not edited by ISB. 


All tips received by ISB are assessed to determine if they are legitimate. Once ISB establishes the validity 
of the tip, it will search the FWS for other information to among other things, accurately identify the 
appropriate FN, third party, or employer. If, after the assessment of the tip, ISB believes the case may 


* 


warrant an ECR or other action, it will assign the case to the appropriate regional ISB staff. 


The overwhelming majority of tips received since summer 2014 have been handled entirely by ESDC; 
however, a small number of tips involved information that must be investigated for possible 
enforcement action by the CBSA. The work flow below describes the steps supporting the disclosure of 
information received via the OFRT to the CBSA. 


This section is supported by Figure 4. 


| Pro | Via Voice Mail (Individual 
The process begins by an individual providing a tip via the OFRT web form or voicemail. For the OFRT, 
after being presented with the information found in Annex H of this PIA, the individual is asked to 
provide consent to use the information they provide. The individual must provide consent by selecting 
"Yes" or information cannot be submitted via the web form. 


Subsequently, the individual is asked if, he/she will be in imminent danger or be at risk of serious 
physical injury by providing information on the web form. If the person answers "Yes", they are 
presented with the following Service Canada Confidential Tip Line phone number (1-866-602-9448), and 
are not permitted to submit information via the web form. 


Assuming the individual responds by stating he/she is not in any serious physical danger, the web form 
is completed with information relating to the suspected or alleged program abuse and/or fraud and the 


MEME RM RR OS ,  , A O,,A R RR 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


ot abe env Ac a 


TFWP ISA with ESDC : PIA 


individuals involved. Finally, the web form provides the individual with an option to provide their 
contact information. As reflected earlier in the process, anonymity is permitted. However, if the 
individual wishes to provide his/her information, they are asked to provide the following: 


First Name 

Last Name 

Contact Telephone Number 

A free text field to provide other contact information details 


sw EH 


The web form is sent to an ESDC general delivery mailbox and assessed by the ISB. 


For individuals who submit their tip via the telephone number {voicemail only), the voice mail is also 
managed by ISB. Internal procedures require the voicemail to be monitored daily. 


If the information provided by the individual merits a referral to the CBSA for enforcement of the 
IRPA/IRPR, Step 2.0 is triggered. 


i Step 20, if fthere fs. is suffidens ene to support a referral to the CBSA for potential enforcement 
action. ISB staff complete a form called “CBSA Lead Referral from SC/ISB". The form, attached to this PIA 
as Annex |, is emailed to CBSA CIP and will include all information provided from the tip. The tip will not 
include any other information from ISB's information systems, FWS, or any other ESDC information 
system. CBSA receives all information provided by the individual who provided the tip, including the 
individual's name and contact information, except when anonymity was requested. 


Step 3.0: Receive Referral Form and Generate Lead in CIIMS 


The email account to which ESDC mr the emai p is maintained by CIP HO. Once the form is received by 
CIP (Step 3.0), and if it contains sufficient information to proceed, it is used to generate a lead in CIMS 
and may create an investigation assignment (in CIIMS) to a regional investigator (Step 4.0). 


Once the investigation activity is assigned, Step 5.0 is triggered. 


Step 5.0: Initiate Investigation 


Step 6.0: Request Information from ESDC (if r 

In Step 5.0, the appropriate regional investigator initiates an investigation. The types of activities that 
are required to perform an investigation vary on a case-by-case basis. However, if during the 
investigation, a search warrant or prosecution is sought by the regional investigator, he/she will seek 
paper copies of various data from ESDC; most often a copy of the LMIA and correspondence between 
ESDC and the employer/individual. In Step 6.0, to obtain those paper copies, the regional investigator 
will send to the TFWP at ESDC requesting 
paper copies to support a search warrant or prosecution. The email from the CBSA must include at least 
the following information: 


Canada Border Services Agency 


CBSA - Rel d under the Access to Information Act. 


leased unde: 
ASFC - Divulgation en vei 


rtu de la loi sur l'Accès à l'information 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


TFWP ISA with ESDC | | PIA 


ia 1. Name of employer, third party or TFW, System File Number and other identifying details to 
ensure accuracy of the information; 
2. The section of the IRPA to which the investigation and the requested ESDC information relates; 
3. Timeframe of the records (for example, the CBSA may request all LMIAs provided to an 
employer over the last three years); and 
4. A description of the exact documentation being sought by the CBSA (e.g. copies of the LMIAs, 
any correspondences, etc.). 


Once the email is received by ESDC, Step 7.0 is triggered. 


In Step 7.0, ESDC assesses the CBSA's request to determine if it can disclose the information under sub- 
section 34(1) of the DESDA. This assessment allows ESDC to determine if information could be further 
disclosed under sub-section 35(1) of DESDA. In its assessment, ESDC will analyze the request against the 
ISA and determine what, if any, information can be released. If the program can disclose information, 
ESDC provides copies of the information via courier (Step 8.0). 


Once provided to the CBSA, the copies are stored in paper files. CIIMS has the ability to mark/identify 
the ESDC records as a source provided to the CBSA in accordance with the ISA. Furthermore, copies of 
documents that are provided to the CBSA are identified/marked with the source as being provided via 
-" the ISA and subject to secondary disclosure restrictions of the ISA. 
The copies are shared with the court (search warrant and prosecution), the Public Prosecution Service of 
Canada (PPSC) and the Defence attorney. The court could be federal, provincial or territorial. If the 
investigation is part of a joint investigation, the CBSA may share the information obtained during the 
execution of the search warrant with the partner agency; e.g. RCMP. 
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4.4 Receipt of Information After an Employer Compliance Review and/or Inspection 
As part of its responsibilities under the TFWP, ESDC may obtain information during an ECR and/or 
inspection of an employer which prompts the need to refer particular information to CBSA Regional CIU. 
This type of disclosure is performed regionally and varies as to whether the information is delivered via 
email or courier. These types of disclosures are anticipated to be done via courier, and again, are only 
provided to CBSA when it meets the disclosure provisions of the DESDA/DESDR and in relation to the 
administration and enforcement of the IRPA/IRPR. 


isclosure 


4.5 Public Interest D 
In addition to the above, ESDC may, on its own initiative, release information to the CBSA for IRPA/IRPR 
enforcement purposes if the TFWP is aware of specifics that would warrant invoking the Minister's 
authority under sub-section 37(1) of the DESDA. Sub-section 37(1) allows ESDC to disclose information 
if, in the Minister's opinion, the public interest clearly outweighs any invasion of privacy that could 
result from the disclosure. If ESDC makes any disclosure pursuant to sub-section 37{1} of the DESDA, it is 
required by sub-section 37(2) to notify the Privacy Commissioner prior to disclosure (if reasonably 
practicable) and the Privacy Commissioner may choose to notify the individual whose information is 
being disclosed. 
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4.6 Data Flow Model - Table 
This table summarizes the flow of data illustrated in the data flow diagram above. From whom or from 
what organization is the personal information collected? In other words, identify who is providing the 
personal information that is being used, will be used, or available for use for the program or activity. For 
multiple sources, indicate all sources. 


SOURCE IDENTIFY THE SOURCE 


The individual or a representative individual (Foreign Worker) 
individual (Providing abuse fraud information; if they 
chose not to remain anonymous} 
Employer (if a sole proprietor; and contact person for 
the corporation, which is provided on the LMIA 
Application — See Annex D) 
individual (3° Party Representative — See Annex E) 


A federal government institution (identify from CIC (CIC PPU 039, International Service: Overseas 
what PIB the information is obtained) immigration Case Files; and CIC PPU 054, Temporary 
Worker Records and Case File) 
ESDC (CIC PPU 440, Temporary Foreign Worker 
Program, ESDC PPU 171, National integrity 
Investigation for El”) 
CBSA (TFWP, CBSA PPU 050, CBSA PPU 035, CBSA PPU 
B 1402) 


| Non federal institutions 


~ Provincial Government N/A 


- Municipal Government N/A 


- Aboriginal Government / Council N/A 


- Organization of a Foreign State N/A 
- international Organization N/A 


- Located in Canada and Canadian Owned N/A 


- Located in Canada and Foreign Owned N/A 
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- Located abroad and Foreign Owned N/A 
4.7 internal Use and Disclosure 

Where will the information circulate within the CBSA? Identify any related programs or activities and 

personai information banks as identified in the CBSA Info Source chapter. 


PR * ESDC PPU 171, along with PPU 440, are identified in LMIA applications, but ESDDC PPU 171 requires 
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Program Personal information bank 


Operations/Intelligence (LOAD) and regional Temporary Foreign Worker Program/CBSA 
intelligence  units/criminal investigations PPU 050, CBSA PPU 035, CBSA PPU 1402) 
(CIPM regional criminal investigations unit 

(CIU)/ Inland Enforcement (IEOD) 


The individual or a representative Defence Attorney 


A federal government institution. Public Prosecution Service of Canada 
(for investigations that result in prosecution) 
immigration and Refugee Board of Canada 
(RB) Immigration Division Case Files, IRB 
PPU 140 


-  Provincial/Territorial Government Courts: For application of search warrant, 
production order, or prosecution. 
- Municipal Government Courts: For application of search warrant, 
i production order, or prosecution. | 


- A Aboriginal Government / Council N/A 


- Organization of a Foreign State N/A 


- international Organization N/A 


Private Sector 


- Located abroad and Foreign Owned N/A 


4.9 Retention / Storage 
Where will the information be stored or retained? Identify all organizations that will store the 
information. This includes duplicates of the databases containing the personal information or any 
back-ups. 
The individual or a representative Defence Attorney 
A federal government institution CBSA: GCMS/FOSS, NCMS, IMS, CIIMS, ICES, 
| STS, Paper files 


Public Prosecution Service of Canada 


Immigration and Refugee Board of Canada (IRB): 
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A Federal Records Centre N/A 


- Provincial Government Courts: For search warrants, production 
Order, or prosecution. 


- Municipal Government Courts: For search warrant, production 
order, or prosecution. 


- A Aboriginal Government / Council N/A 


- Organization of a Foreign State N/A 
- International Organization N/A 
Private Sector 


- Located in Canada and Canadian Owned N/A 


- Located in Canada and Foreign Owned N/A 


- Located abroad and Canadian Owned N/A 


- Located abroad and Foreign Owned N/A 


4.10 Other Possible Considerations 

Identify the areas, groups and individuals who access and handle the personal information: 

identify the areas / groups / divisions who are allowed to access and handle the personal information 
collected for the program or activity. Also, identify where these areas or groups are located (i.e. national 
capital region, within a province, in a foreign country, or several locations if tele-working) as well as the 
location of the personal information to uncover any potential trans-border or inter-jurisdictional issues. 
Where reasonable to do so, by virtue of the size of the organization or the number of individuals, identify 
individual positions rather than the work area or group. 


The CBSA responsible for program or activity: 


Identify Groups or Areas / ot Positions who have access or use the Geographical Location 
Divisions personal information (where appropriate) 


_ Border Services Officers BSOs Across Canada 
| E intelligence Officers, Intelligence | 
. IOAD Analysts 

Regional Intelligence Units junior and Senior Program Officers 
Nuit Senior Program Advisors 
cu Criminal Investigations Units Regional - Across Canada 
| CIP E Criminal investigators Headquarters 

.|EOD Enforcement Officers Across Canada 


Across Canada 


Other federal government Institution responsible for program or activity: (one table per institution): 
CIC TFWP Staff | Across Canada 
ESDC TFWP Staff/Integrity Services Branch Across Canada 


nm SNARE NSN NIU d d MITT tenants 


Canada Border Services Agency 


ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


| | (ISB) Investigators 

Public Prosecution Service of | 

| E Ld EE Prosecutorial staff Across Canada 
Canada 

Court Staff 


Across Staff 
Support Staff cross 5ta 


IRB 


+ rt og ; 31 " arch \ f ; r f | | | | 
Fours ARE SCAN judges and their staff Across Canada 


(for search warrant applications Judges and their staff Across Canada 
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Has a legal authority been identified for the collection of personal information for this program or activity? 


Statutory reference: Section 4 of Privacy Act (Section 4 has been interpreted to mean that a legal authority 
must be established for a collection of personal information, but section 4 does not provide legal authority for 
such a collection). 
Policy reference: Section 6.2.6 of Directive on Privacy Practices 
Yes 
LG Specify the legal authority and briefly explain its connection to the program or activity or how it 
permits the collection of the personal information: 


With respect to the CBSA-ESDC ISA, personal information is collected pursuant to Sections 11, 20 
and 22 of the Immigration and Refugee Protection Act and Part 11 of the immigration and 
Refugee Protection Regulations. 


in addition to what is identified in the ISA, personal information is also collected by the CBSA 
under sections 15, 16, and 18 of the IRPA and s. 5 of the CBSA Act. 


Also, pursuant to paragraph 8(2)(a) of the Privacy Act, and under section 209.92 of IRPR, the 
CBSA has the authority and discretion to disclose information related to the TFWP to ESDC for 
the administration or enforcement of the TFWP, the FSWP and the IMP. 

Also, subsection 4(2) of the IRPA states the Minister of Public Safety and Emergency 
Preparedness is responsible for administering the Act as it relates to the enforcement of the Act, 
including arrest, detention and removal. 


1.2 X] Is the personal information collected directly related to an operating program or activity? 
Details: TFWP information collected from ESDC, via the ISA, is directly related to the CBSA's 
responsibility to administer and enforce the IRPA, including the responsibility to issue WPs at 
POEs, determine the admissibility of persons seeking to enter or remain in Canada, and to 
investigate and prosecute contraventions of the offence provisions of the IRPA, among others. 


— Continue to Question 2 


No 
.1.3 [| If there is no legal authority for the collection of personal information, it cannot be collected. Please 
consult your legal advisor to determine if there is authority to proceed with the program or activity. 
**The PIA process must not continue without this key information.** 
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2. Necessity To Collect Personal information 


Is each element and sub-element of personal information collected or to be collected necessary to 
administer the program or activity? 


Statutory reference: Section 4 of Privacy Act 
Policy reference: Sections 6.1.1, 6.1.3, 6.1.4, 6.2.7 and 6.2.8 of Directive on Privacy Practices 
YES 


news nt PIB. 
**Personal Information Bank (PIB) should be found within “Section 1 — Overview and Initiation” above** 


| AND, impiement controls and procedures to ensure the CBSA does not collect more personal 
information than is necessary for the identified program or activity and that a continuing need exists 
for that information or its collection. 


2.3 Are secondary uses contemplated for the information collected? 
**Treasury Board defines a "Secondary Use" as a purpose that is not consistent with the original purpose of 
the collection.** 
— YES [X] NO (Continue to Question 3) 

*if you've selected "Yes" to Question 2.3 above, please note that Consent is required for all "Secondary 
Uses", Please ensure that a "Consent Statement" is created. Please refer to -4. Direct Collection - 


2.3.2 If not, is there authority for the use or disclosure of the — iÓiforiiation? 


**Please ensure that the Legal Authority identified above allows for all uses and disclosures of the personal 
information.** 


| YES | |NO 
— Continue to Question 3 
NO 
2.3 | |] Review the proposed elements and sub-elements of personal information outlined in "Section 3 — 
Analysis of Personal Information Elements" to identify those that are "necessary" and not merely 
useful. Document any changes. 


3. Authority For the Collection, Use or Disclosure Of the Social Insurance Number 


Is the collection of the Social Insurance Number (SIN) necessary to administer the program or activity? 


YES 
3.1 | | Collection of the SIN must be in compliance with the Directive on Social Insurance Number [please 
check all appropriate boxes below): 
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3.2 Gq State legal authority for collecting the SIN: 


OR, in the absence of a legal authority to collect the SIN: 
3:3 a Establish explicit authority through legislative amendment(s). 


.3.4 | | Establish legal authority as outlined in the Directive on Social Insurance Number. 


AND, if disclosure of the SIN by the CBSA is to occur on a routine or systematic basis 
3.4.1 | | to another federal institution that is authorized to collect it, or to another level of government, 
establish an agreement or arrangement that includes specific provisions to limit the use of the 
SIN. 
3.4.2 |] to a contractor or other external service provider, establish a contract that includes specific 
provisions to limit the use of the SIN. 
3.5 AND, ensure that the relevant PIB for the program or activity states the authority under which the 
SIN is collected and the purpose for which it is used. 
—» Continue to Question 4 
NO 
3.6 The SIN is not necessary and it will not be collected, used or disclosed to administer the program or 
activity. 


— Continue to Question 4 


. 4. Direct Collection - Notification and Consent (as appropriate) 


Is personal information collected directly from the individual to whom it relates? 


YES 


i individual at the time of collection and it must include the following elements: 
a) The purpose and authority for the collection 

b) Any uses or disclosures that are consistent with the original purpose. 

c) Any uses or disclosures that are not related to the original purpose 
(This element need only be included when additional uses or disclosures on a regular basis are 
contemplated at the time of collection for a purpose other than the original purpose or a consistent 
use, in which case a "Consent Statement" may need to be added to the "Privacy Notice" — see 
below for "Consent Statement" elements.) 

d) Any legal or administrative consequences for refusing to provide the personal information 

e) That the "individual to whom the information relates" has rights of access to, correction of and 
protection of personal information under the Privacy Act. 

f) A reference to the for the program or activity 
(This element need only be included when the notice is to be given to the individual in writing.) 
**For a copy of the CBSA Privacy Notice and Consent Statement template, contact the ATIP 
Division. ** 

g) Why the SIN is collected, how it will be used and the consequence of not providing it. 
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(This element need only be included when the SIN is being collected — refer to “3. Authority For the 
Collection, Use or Disclosure Of the Social Insurance Number" above.) 


AND, add a "Consent Statement" to the "Privacy Notice" as appropriate, if the personal information is to 
be used or disclosed for a purpose other than the original purpose (Secondary Use) or a consistent use, 
or, to authorize indirect collection of personal information. 
4.2 [X] The "Consent Statement" must include the following elements: 
a) The purpose of the consent and the specific personal information involved. 
b) In the case of indirect collections, the sources that will be asked to provide the information. 
(This element need only be included when personal information is to be collected from another 
Source e.g., person or organization with the consent of the individual) 
c) Uses and disclosures that are not consistent with the original purpose of the collection and for 
which consent is being sought. 
(This element need only be included when the individual's consent is sought for a secondary use or 
disclosure that is not consistent with the original purpose for which the information is collected. To 
find out if the individual's consent is necessary for such a use or disclosure, please consult the ATIP 
Division) 
d) Any consequences that may result from withholding consent. 
e) Any alternatives to providing consent 
**For a copy of the CBSA Privacy Notice and Consent Statement template, contact the ATIP 
Division** 


(43 LX] AND, implement controls and procedures to ensure that the CBSA keeps a record documenting 


whether or not an individual provided consent when it was sought, including a record documenting 
any withdrawal of consent when applicable. 


Additional Consent Considerations (s. 77(1)(m) of the Privacy Act): 
[X] Standards and mechanisms are in place to ensure that the individual has capacity to give 
consent. 
—2 Continue to Question 5 
NO 
4.4 The personal information necessary for the program or activity is not collected directly from the 
individual. it is collected indirectly, for example, from another program within the CBSA, or from 
another institution, government or third party. 


Note: information collected as part of the TFWP/FSWP is direct and indirect. For the WP application process, 


_BSOs at the POE obtain information directly from the individual, as well as indirectly from ESDC and CIC. 
Information on employers (and contact details of employees of the company) as well as third party 


representative information may be collected at the POE indirectly — from the FN or via the FWS-FOSS/FWS- 
GCMS interface. However, ESDC and CIC have presented all individuals with a proper Privacy Notice and 


. Consent Statement (when required) to support the CBSA's use of the information. Also, at the time the FN 


presents him/herself at the POE, some information may be collected directly from the individual during 
examination and via the E-311 Form (where applicable). That form is compliant with section 4.1 above. 
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Also, information collected by the CBSA for investigation and intelligence purposes are not direct collections. 
They are collected on an as needed basis and used in accordance with the IRPA. Information is collected from 
ESDC as reflected in Section 4 of this PIA. 


— Continue to Question 5 


Is personal information collected indirectly from another source with the informed consent of the individual 
to whom it relates, or from a person authorized to act on behalf of the individual pursuant to section 10 of 


Statutory reference: Sections 4 and 5 of Privacy Act and section 10 of Privacy Regulations 


Policy reference: Sections 6.1.1, 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices and sections 6.1.2 
and 6.4.1 of the Directive on Social insurance Number 


YES 


DX, The notice and consent requirements stated at Question 4 apply. Please provide the "Privacy Notice" 
and/or "Consent Statement" below: 
**For a copy of the CBSA Privacy Notice and Consent Statement template, contact the ATIP 
Division** 


.5.2 DX AND, implement controls and procedures to ensure the CBSA keeps a record documenting whether 


or not an individual provided consent when it was sought, including a record documenting any 
withdrawal of consent when applicable. 


.5.3 | | AND, if information is being collected from persons authorized to act on behalf of minors, 


incompetents or individuals who have been deceased for less than 20 years, implement appropriate 
mechanisms to ensure that such persons are authorized to act on behalf of individuals who do not 
have the capacity to provide consent. 


— Continue to Question 6 
NO 


5.4 | | — Continue to Question 6 


Is personal information collected from another source without notice to or consent from the individual to 
whom the information relates? 
Statutory reference: Sections 4, 5, 7 and 8 of Privacy Act and section 10 of Privacy Regulations 


Policy reference: Sections 6.2.6 and 6.2.9 to 6.2.13 of Directive on Privacy Practices, section 6.2.15 of the Policy 
on Privacy Protection and sections 6.3.2 and 6.3.3 of Directive on Privacy Impact Assessment 


YES 
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ie or consent from, the individual to whom it relates, please check the applicable boxes and explain as 
requested: 


State the applicable paragraph(s) of subsection 8(2) and provide a brief explanation for each: 


Details: ESDC collects personal information related to the TFW from employers without 
the explicit consent of the T | 
employer for the purposes of obtaining employment. ESDC is of the view that the - 
provision of personal information by the TFW for consideration of employment is 
consistent with the employer's disclosure of this information for the same purpose (to 
ESDC and CIC for the LMIA and WP process). The TFW makes a choice by providing - 
his/her personal information to the employer to determine eligibility for employment. If - 
they did not agree with the employer submitting their information to the TFWP, they 
would not be considered for eligibility for employment under the program. 


X] b) Direct notification of the individual might result in the collection of inaccurate information, or 
might defeat the purpose or prejudice the use for which the information is collected. Briefly - 
explain why notice is not provided: 


The information involved in the program or activity is to be used solely for a non- 


information relates. (This includes research, statistical, audit or evaluation purposes.) 


IX] AND, if any of the circumstances in a) b) or c) is applicable, ensure that it is reflected in the relevant 
PIB. Note: this is reflected in the ESDC PIB. | 

AND, if the information is to be used solely for a non-administrative purpose (box c above has been 
checked), ensure that the requirements under sections 6.3.2 and 6.3.3 of the Directive on Privacy 
impact Assessment have been met, and that the decision of the official responsible for section 10 of 
the Privacy Act to proceed with a CBSA PIA for the program or activity has been adequately 
documented in the description of the program or activity in "Section 1 - Overview and PIA Initiation" 
of the CBSA PIA. 

64 | | OR, if none of the circumstances in a) b) or c) is applicable, then the personal information must be 
collected directly from the individual, or indirectly with the consent of the individual. Please review 
the responses to Questions 4 and 5 and ensure that the "Privacy Notice" or the "Consent 
Statement" includes all of the required elements within Question 4. 


— Continue to Question 7 

NO 
6.5 All personal information is collected directly from the individual to whom it relates, or from 
another source with notice to, or consent from, the individual or a person authorized to act on behalf 
of the individual (see Questions 4 and 5 above).— Continue to Question 7 
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Has Library and Archives Canada approved a records retention and disposal schedule that applies to the 
personal information? (Consult Information Management officials to determine the authority to retain and 
dispose the personal information and provide the relevant details below.) 


Statutory reference: Section 12 of Library and Archives Canada Act, sections 6, 10 and 11 of Privacy Act and 
section 4 of Privacy Regulations 
Policy reference: Sections 6.1.3, 6.2.11 to 6.2.13 and 6.2.23 of Directive on Privacy Practices 

YES 


Please identify the Record Disposition Authority (RDA) and describe the retention and disposal 
schedule: (For example, RDA Number: 79/002, records are retained for 10 years -- active for five 
and dormant for five. Destruction through agreement with Library and Archives Canada.) 


2006/004. Paper records will be retained for 2 years after the last administrative action and 
then are destroyed. Electronic records are retained indefinitely. Work permits are microfilmed - 
and retained indefinitely at Citizenship and immigration Canada. : 


7.2 D AND, implement controls and procedures to ensure that personal information used to make a 
decision that directly affects an individual will be retained for a minimum of two years after the last 
administrative action or, where a request for access to the information has been received, until such 
time as the individual has had the opportunity to exercise ali his/her rights under the Act. 


| AND, if the CBSA intends to dispose of personal information that has been used for an administrative 
purpose prior to the expiration of the two-year minimum retention standard established by the 
Privacy Regulations, it must obtain the consent of the individual to whom the information relates 
before doing so. 


4 AND, the CBSA must cite the RDA number, the retention period and the disposition standards for the 
personal information in the relevant PIB. 
-> Continue to Question 8 
NO 
7.5 [| Provide a Records Disposition Submission to Library and Archives Canada describing the records 
containing the personal information for which the institution requires a RDA. 
7.6 [| AND, obtain a RDA from Library and Archives Canada to allow the CBSA, under certain conditions, to 
dispose of records that no longer have operational utility for the program or activity. 


— Continue to Question 8 


8. Accuracy Of Personal Information 


Will measures be adopted to ensure that personal information used by the CBSA for an administrative 
purpose is as accurate, up-to-date and complete as possible? 


Statutory reference: Sections 6, 10 and 11 of Privacy Act and sections 10 and 11 of Privacy Regulations 


Policy reference: Sections 6.1.1 and 6.2.9 to 6.2.16 of Directive on Privacy Practices 
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YES 
8.1 x Please check any of the following measures that will be adopted to ensure accuracy of the personal 
information and provide details as requested: 

8.1.1 Personal information will be collected directly from the individual to whom it relates or it will be 
validated with the individual or a person authorized to act on behalf of the individual. 

8.1.2 A data-matching process will be used to verify the accuracy of personal information against a 
“reliable source" (within or outside the CBSA) where this is authorized, or where consent was. 
obtained. 

is used for ESDC to provide CBSA with 

information necessary for BSOs, investigators (CIP, regional CIU and IEOD), 

intelligence officers and intelligence analysts (IOAD and regional intelligence units) 

to enforce IRPA. The information received from ESDC is data matched against the 

person(s) or company(ies) who are the subject of an assessment or investigation. 

Likewise, the CBSA may upload information for use by ESDC. Upon 
request, ESDC will request information on a particular company or individual. CBSA - 
| Will perform a data match to ensure appropriate records are uploaded 

for ESDC use. | 


Alli uploads (by ESDC and CBSA) 


Other information sharing will include data matching exercises to ensure the 
appropriate records are being shared by the CBSA (when CBSA discloses 
information) and have been received by the CBSA (when CBSA receives information 
from ESDC). : 2 
8.13 [.] In cases where direct collection or consent is not feasible, the CBSA will obtain information from 
trusted sources (public or private) and verify accuracy against existing personal information 
before use. | 


Details: Identify the sources and procedures to be used to check the accuracy of the 
information | 


| Technological methods will be used to identify errors and discrepancies. 


8.1.4 


Details: Describe the technological methods used 


Specify: (This information is mandatory) 


8.2 | | AND, if measures are adopted other than "direct collection or validation with the individual or with a 
person authorized to act on behalf of the individual", the CBSA must implement appropriate controls 
and procedures to ensure that: 
a| the technique(s) and the specific source(s) used to validate or update the personal information 
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are documented; 

b) individuals are given the opportunity, whenever possible, to request correction of any inaccurate 
personal information before the information is used in a decision-making process that affects 
them; 

c) personal information can only be modified or corrected by those within the CBSA who have the 
authority to do so; 

d) when personal information is corrected or annotated, the record of personal information 
indicates the date of the last correction or annotation and the source of the information used to 
make the correction or annotation; and 

d) when personal information is corrected or annotated, other authorized holders of the 
information are notified about the correction or annotation and that all copies of the information 
in the possession of the CBSA are corrected / annotated. 

8.3 | | AND, if appropriate, ensure that the "Privacy Notice" or "Consent Statement" and the relevant PIB 
are amended to identify the data-matching activity including the source(s). 

— Continue to Question 9 

NO 


8.4 {| 


Explain why such measures will not be adopted: {This information is mandatory) 


— Continue to next Question 9 


. 9. Use Of Personal information 
Will the personal information collected for the program or activity be used solely for the original purpose 
for which it was obtained or compiled, a use consistent with that purpose, or a purpose for which the 
information was disclosed to the institution pursuant to subsection 8(2) of the Privac| Act? 


Statutory reference: Sections 5 and 7 to 11 of Privacy Act 
Policy reference: Sections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive o 
rotection and Section IV of Appendix C of Directive on Pr. 


| Implement controls and procedures to ensure that access to the personal information for such 
purposes will be limited to authorized individuals who need to know the information to perform their 
official duties. (Identify the work positions within the program or activity that have a valid reason to 
access and handle the personal information, and limit access to individuals occupying those 
positions.) 


X AND, ensure that the "Data Flow Diagram" or “Data Flow Tables" completed for “Section 4 — Flow of 
Personal Information" of the CBSA PIA identify the areas, groups and individuals (e.g., the positions) 
within the CBSA who have a need-to-know to access to or handle the personal information, including 
their geographical location and where the personal information will be stored or retained. (See 
Section IV of Appendix "C" of Directive on Privacy Impact Assessment for a list of elements that must 
be included in the data flow diagram or data flow tables.) 
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9.3 m AND, if the purposes for which the personal information is used includes any use(s) of the 
information for a non-administrative purpose, (such as research, statistical, audit and evaluation 
purposes) the CBSA will adhere to the requirements and principles in the CBSA Privacy Protocol For 
Non-Administrative Purposes (2012), in accordance with section 6.2.15 of the Policy on Privacy 
Protection, to address any impact that such non-administrative uses may have on privacy. 


— Continue to Question 10 


NO 
9.4 Identify below any other uses of the personal information, in other words, any routine uses that are 


not directly related to the purpose of the collection, or, which are not consistent with that purpose 
or for which the information was disclosed to the CBSA pursuant to subsection 8(2) of the Privacy 


Act: 


Detail: (This information is mandatory] 


9(1) of the Privacy Act, if these other uses are not described in the PIB in CBSA info Source, the CBSA 
is required to record each use on the individual's file. Describing them in the PIB is, therefore, a far 
more efficient practice - see Question 11.) 
9.6 | ] AND, include a description of these other uses in the "Privacy Notice" or "Consent Statement", as 
appropriate, 
"S |_| AND, ensure the all the other applicable requirements listed under "YES" at Question 9 are met. 
— Continue to Question 10 


Will personal information be disclosed for purposes directly related to the administration of the program or 
activity? 


YES 
10.1 DX] Please check all applicable boxes below and, for each disclosure, identify the name of the 
organization or third party to which personal information will be disclosed. If it is disclosed within the 
CBSA, please identify the branch and the program or activity. 


Detail: IOAD and regional intelligence units may collect information from ESDC and 
subsequently share it with BSOs, CIP, CIU, and IEOD. Also, CIP, CIU, IEOD, IOAD and 
 tegional intelligence units may exchange information to support the CBSA's authority to 
enforce and prosecute offences against the IRPA/IRPR. 


10.1.2 Other federal government institutions 
Detail: To CIC and ESDC who administer the TFWP/FSWP. 
To the Public Prosecution Service of Canada and IRB, when an investigation uncovers 
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10.1.3 x] Provincial, territorial or municipal governments institutions 


Detail: To Courts/Judges for the application of a search warrant. 


10.1.4| | Foreign government institutions and entities thereof 


Detail: (This information is mandatory) 


19.1.5 n International organizations 


Detail : (This information is mandatory) 


Detail: The Defence Attorney during pretrial disclosure will disclose for the purposes of | 
the CBSA's authority to prosecute offences against the IRPA/IRPR. : 


10.17 [X] Other 
Detail : To the subiects defence attorney when an investigation uncovers information 
that is referred for prosecution. 


a) any such disclosure is made in compliance with section 8 of the Privacy Act, which allows 
disclosures of personal information with consent of the individual to whom the information 
relates (subsection 8(1)) or without consent in certain and limited circumstances pursuant to 
subsection 8(2) of the Act; 

D) only personal information elements that are necessary for the intended purpose are disclosed; 

c) the organization or third party receiving the personal information is authorized to do so; 

d) administrative, physical and technical safeguards appropriate to the sensitivity of the information 
will be applied to protect the information during and after its transmission (see Question 15); 

e) the organization or third party to which the personal information will be disclosed for the 
administration of the program or activity are identified in the "Consistent Use" section in the 
relevant PIB in CBSA info Source, including the specific purpose of the disclosure; | 
the "Privacy Notice" or "Consent Statement" describes any disclosures of information; (For a 
copy of the CBSA Privacy Notice and Consent Statement template, contact the ATIP Division) 
and, 

f) the "Data Flow Diagram" or "Data Flow Tables" completed in "Section 4 — Flow of Personal 
Information" of the CBSA PIA include details on the disclosed personal information: (See Section 
IV of Appendix "C" of Directive on Privacy impact Assessment for a list of elements that must be 
included in the data flow diagram or data flow tables.) 


AND, any disclosure of personal information to another federal institution or outside the 
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Government of Canada is governed by a formal agreement or arrangement (e.g., a Memorandum of 
Understanding, an accord, a contractual arrangement, etc.) to ensure that appropriate privacy 
protection clauses are included, and, where applicable, include provisions for inter-jurisdictional or 
transborder flows of personal information. Such clauses must cover the following topics: 
a) Control over personal information, where appropriate. 
b) Limitations on the collection, retention, use and disclosure of personal information. 
c) Measures (administrative, technical and physical) to protect the integrity and confidentiality of 
personal information. 
d) Measures governing the disposition of the personal information, where relevant | 
e) Measures to ensure or verify that the personal information is only used for the purposes related 
to the agreement, arrangement or contract. 
f) Obligations are to be extended to other parties such as subcontractors. 


-> Continue to Question 11 


NO 
10.4| | There is no disclosure of personal information within or outside the institution for purposes that are 
directly related to the administration of the program or activity. 


— Continue to Question 11 


Will controls and procedures be implemented to account for any new use or disclosure of the personal 
information that is not included in the relevant PIB published in CBSA Info Source? 


YES 
11.1 Appropriate controls and procedures have been or will be implemented to ensure that: 

a) the head of the institution (The ATIP Director) or the appropriate delegate is notified about any 
new use or disclosure of personal information that is not reflected in the PIB description 
published in CBSA Info Source; 

b) the consent of the individual to whom the information relates is obtained in writing, as 
appropriate, prior to any new use of the information for an administrative purpose that is not 
reflected in the relevant PIB published in CBSA Info Source, unless the new use is considered to 
be consistent with the purpose for which the personal information was obtained or compiled and 
the Privacy Commissioner is notified, by the CBSA ATIP Director, forthwith regarding the new 
consistent use; 

C) except as permitted under subsection 8(2) of the Privacy Act, any disclosure of personal 
information for a purpose that is not reflected in the relevant PIB published in CBSA Info Source 
will only be made with the consent of the individual to whom the information relates; 

d) a record is kept for any new use or disclosure of personal information not described in the 
relevant PIB published in CBSA Info Source, and that this record is stored with the personal 
information to which it relates and retained for a minimum period of two years following such a 
use or disclosure; (The record of use or disclosure should include the name and title of the person 
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authorizing the use or disclosure; the name of the institution, person, organization or body 
receiving the information; a description of the use or purpose of disclosure; a copy of the 
information disclosed, or a description in sufficient detail to allow a determination of exactly what 
information was used or disclosed.) 

e) if the information is disclosed to a federal investigative body under paragraph 8(2)(e) of the 
Privacy Act, the record of disclosure will be kept in a separate PIB for a period of two years where 
it wil be available to the Privacy Commissioner for review upon request; fe.g., Standard PIB 
^Disclosure to Investigative Bodies" PSE 913) 

f) the Privacy Commissioner is notified, by the CBSA ATIP Director, forthwith, as required under 
subsection 9(4) of the Act, of any new use or disclosure that is consistent with the purpose for- 
which the information was obtained or complied, but which is not reflected in the relevant PIB 
published in CBSA Info Source; 

g) the relevant PIB is amended in time for the next edition of CBSA info Source to include any new 
use(s) or disclosure(s) that are consistent with the purpose for which the information was 
obtained or compiled, as well as any routine use(s) or disclosure(s) that do not fall within the 
categories of purpose of collection or consistent use (e.g., these would include disclosures of the 
information under subsection 8(2) of the Act that take place on a regular basis. By including 
these routine uses or disclosures in the PIB, the CBSA would be relieved from the obligation to 
record each use or disclosure on the individual's file); and 

h) the Privacy Commissioner is notified, by the ATIP Director, prior to or forthwith, as required 
under subsection 8(5) of the Act, about any disclosures made or to be made in the public interest 
or in the interest of the individual to whom the information relates. 


i) Other 


Detail: (This information is mandatory) 


— ; Contihüe to Quéstion 12 


NO 
_11.2{ | Please explain why such controls and procedures will not be implemented 


Detail: Provide adequate justification. 


— Continue to Question 12 
12. Safeguards - Statement Of Sensitivity 
Has a Statement of Sensitivity (SoS) or similar analysis been completed to assess the degree of sensitivity of 


the personal information to be collected and retained for the program or activity? (Input to this section 
should be coordinated with and reviewed by the CBSA — IT - Security Directorate) 


Statutory reference: Sections 7 and 8 of ue Act. 
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YES 


12.1 [ ] The information contained in the SoS or similar analysis has been taken into account when assessing 


the level of risks to privacy in "Section 2 - Risk Area Identification and Categorization” of the CBSA 
PIA. 
— Continue to Question 15 

NO 


| 12.2 [X] Please explain why a SoS or similar analysis was not considered necessary to assess the sensitivity of 


the information. 


— Continue to Question 13 


Has a Threat and Risk Assessment (TRA) or a similar security assessment been completed for the program or 
activity? (Input to this section must be coordinated with and reviewed by CBSA —IT - Security Directorate) 


Statutory reference: Sections 7 and 8 of Privacy Act. 

Policy reference: Appendix C of Directive on Privacy Impact Assessment and sections 6.2.17 to 6.2.21 of 
Directive on Privacy Practices, Policy on Government Security, Operational Security Standard: Management of 
information Technology Security (MITS) 


YES 


13.2 AND, obtain assurances from the officials responsible for the program or activity that the measures 
recommended in the assessment have been implemented to ensure the confidentiality, availability 
and integrity of the personal information. | 

13.3 [| AND, ensure that any residual risks to personal information are known and accepted by the 
executive or senior official responsible for the program or activity and the Head or delegated 
authority for the Privacy Act. (ATIP Director) 

— Continue to Question 14 
NO 
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Please identify below any administrative, physical and technical safeguards in place, or to be implemented, 


for this program or activity to ensure the confidentiality, availability and integrity of the personal 
information. (Safeguards must be commensurate with the sensitivity of the information, the risks identified, 


and the nature of the media in which the information is stored, handled and transmitted. This section must be 


completed with input from CBSA — 1T - Security Directorate) 


impact Assessment and sections 6.2.17 to 6.2.21 of 
Operational Security Standard: Management of 


Policy reference: Appendix C of Directive on Privac 
Directive on Privacy Practices, Policy on Government Security 


Please check all that apply, including safeguards identified by the TRA or similar security assessment. 
14.1 Administrative safeguards 

internal security and privacy policies and procedures 

DX] Staff training on privacy and the protection of personal information 

Screening and security checks of employees 

*X] Appropriate security levels for employees who will have access to personal information 


Contingency plans and documented procedures in place to identify and respond to security and 
privacy breaches, and to communicate security violations to the data subject, law enforcement 
authorities and relevant program managers 

DX Regular monitoring of users' security practices 

S Methods to ensure that only authorized personnel who need to know have access to personal 
information 


NI Other 


Detail : (This information is mandatory) 


[X] Restricted access areas 

[X] Security guards 

[X] Identification badges are worn by staff at all times 
After hours alarms and monitoring systems 
Locked filing cabinets 

Combination locks 

Safes 

Cipher locks 


Key cards 
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Dx] Backups secured off-site 
| | Other 


Detail: (This information is mandatory] 


Will the information system(s) used to deliver the program or activity employ cookies or other tracking 
technologies to collect personal information about users and their transactions? (Input to this section should 
be coordinated with and reviewed by the CBSA — IT - Security Directorate) 


Statutory reference: Sections 4 to 10 of the Privacy Act and section 4 of Privacy Regulations 


Practices 
YES 


Privacy of "Section 2 — Risk Area Identification and Categorization" of the CBSA PIA; (For example, the 
use of an audit trail that records information, such as user logon ID, date and time of logon, logout, 
user location, terminal identity, name and ID of client records accessed, including edits or changes 
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made during each user session, etc. The information is used to verify that only authorized users 
access personal information and to ensure that access can be linked to specific individuals to support 
the investigation of suspected or alleged misuse. The information is retained for a period of two 
years.) 


| | AND, the collection of any personal information using such technologies is reflected in the relevant 
PIB and in “Section 3 — Analysis of Personal Information Elements" of the CBSA PIA; 


15.2. 


, 153 [ ] AND, the use of such technologies to collect information about users and their transactions Is 


adequately reflected in the "Privacy Notice"; 


15.4 E AND, those responsible for implementing and using tracking technologies to collect personal- 


information or who may have access to personal information collected through these methods are 


made aware of privacy and security policy requirements; 

15.5| | AND, where personal information collected through such tracking technologies is used to make a 
decision that directly affects the individual to whom the information relates, it will be retained for a 
minimum of two years after the last administrative action as required under the Privacy Regulations. 


— Continue to Question 16 


NO 


Will the new or modified program or activity result in new or increased surveillance or monitoring of a 
targeted population? (input to this section should be coordinated with and reviewed by the CBSA — IT - 
Security Directorate) 


Statutory reference: Sections 4 to 10 of Privacy Act, section 4 of Privacy Regulations and section 8 of the 
Charter of Rights and Freedoms 
Policy reference: Subsections 6.1.1, 6.1.9, 6.2.9 to 6.2.13 and 6.2.17 of Directive on Privacy Practices 
YES 
16.1[ | Consult with your legal advisors to determine whether or not such surveillance or monitoring 
activities raise any issues relating to the Charter of Rights and Freedoms, the Privacy Act or other 
applicable acts. 


16.2 |] And, ensure the surveillance or monitoring method(s) to be used, the characteristic(s) of the 


targeted population and the scope of the surveillance or monitoring are adequately described under 
Part 6: Technology and Privacy of "Section 2 — Risk Area Identification and Categorization" of the 
CBSA PIA. 

16.3 AND, any personal information collected or created as a result of such surveillance or monitoring is 
described in the relevant PIB and in Section 3 — Analysis of Personal Information Elements" of the 
CBSA PIA. 


.164| | AND, the collection or use of personal information through surveillance or monitoring is adequately 


reflected in the "Privacy Notice", unless such notification might result in the collection of inaccurate 
information or defeat the purpose or prejudice the use for which the personal information is 
collected. 

[| If notice about surveillance or monitoring will not be provided 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


TFWP ISA with ESDC : PIA 


MITT i AAA AA TAN RA nS ii RIP TI i a RR KY PLLA LLL LLIN iin 


16.5| | AND, those responsible for implementing and using such surveillance or monitoring method(s) or 
who may have access to personal information collected or created through these methods are made 
aware of privacy and security policy requirements. 
—» Continue to Question 17 
NO 
5 The new or modified program or activity will not result in surveillance or monitoring. 


— Continue to Question 17 


17. Considerations Related to Compliance, Regulatory Investigation, Enforcement 


Does the program or activity involve compliance/regulatory investigation or law enforcement, surveillance 
or intelligence gathering that targets specific individuals against whom penalties, criminal charges or 
sanctions may be applicable? 


YES 
17.1 DX] Consult with your legal advisors to determine whether or not the compliance/regulatory 
investigation or law enforcement activities raise any issues relating to the Charter of Rights and 
Freedoms, the Privacy Act or other applicable acts. 


AND, identify the legislative authority and the specific regulatory or law enforcement purpose 
involved: 


Detail: Subsection 4(2) of the IRPA states the Minister of Public Safety and Emergency 
Preparedness is responsible for administering the Act as it relates to the enforcement of the > 
Act, including arrest, detention and removal. 


€ AND, if the | legislative authority differs from the legal authority for the program or activity, ensure it 
is adequately reflected in the response to Question 1 of “Section 5 — Privacy Compliance Analysis” 

and in “Section 1 — Overview and PIA Initiation “of the CBSA PIA. 

| AND, any personal information collected or created as a result of such regulatory or criminal 
enforcement, surveillance or intelligence gathering program or activity is described in the relevant 
PIB and in “Section 3 ~ Analysis of Personal information Elements" of the CBSA PIA. 


17.3) 


17.4 | 


AGS "CX AND, the collection or use of personal information through these compliance / regulatory 
investigation or enforcement activities is adequately reflected in the "Privacy Notice”, unless such 
notification might result in the collection of inaccurate information or defeat the purpose, or 
prejudice the use, for which the personal information is collected. 

[|_| If notice about the compliance/regulatory investigation or law enforcement activities will not be - 
provided. 
Details explain why: (This information is mandatory) 


NO 
17.6| | The program or activity does not involve the conduct of regulatory or criminal enforcement, 
surveillance or intelligence gathering. 
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The ATIP Division will document the recommendations resulting from the risk identification and 
categorization, as well as in a manner that is commensurate with the risk identified. The risks and 
recommendations will be incorporated into the action plan as described in Annex B: Office of the Privacy 
Commissioner Expectations (2011) 


Document the conclusion drawn or recommendations resulting from the risk identification and 
categorization in a manner that is commensurate with the risk identified. 


ACCOUNTABILITY 


Within the CBSA 

The CBSA has a robust administrative structure to ensure compliance with the Privacy Act and related 
policies and directives. In FY 2012-2013, a Privacy Oversight Committee (POC) was established which 
consists of senior officers and executives within the CBSA that meet regularly to discuss privacy issues, 
as well as monitor the development of privacy poli PA instruments and PIAs. The POC also helps identify a 
need to assess upcoming initiatives for potential PIA 


Bi-monthly reports on the status of PIAs are provided routinely to the POC and the OPC to ensure 
adequate planning for the completion of PIAs. 


The ATIP Division is responsible for recommending the development of a PIA and/or other measures to 
ensure that existing or new programs / activities are privacy compliant. When contacted, the ATIP 
Division will provide program areas with the Privacy Impact Questionnaire (PIQ). The PIQ is a template 
that requests high-level information similar to sections 1 and 2 of the Core PIA template, and is used to 
develop and record any recommendations given by the ATIP Division concerning the program or activity. 
The PIQ enables the ATIP Division to make informed recommendations as to whether or not a PIA or 
other privacy compliant measures are required. 


The ATIP Division is also a required stakeholder in the development of Written Collaborative 
Arrangements (WCAs) such as MOUs and ISAs. Aside from reviewing WCAs for compliance with the 
Privacy Act and TBS policies, directives, and guidelines, the ATIP Division also makes recommendations 
with respect to the conduct of a PIA before the implementation of WCAs. 


In FY 2012-2013, the CBSA also developed two privacy policy instruments: 
e The Privacy Breach Protocol; and 
e The Directive on Non-Administrative Uses of Personal Information (Privacy Protocol) 


The Privacy Breach Protocol ensures that all security violations which include personal information are 
reported to the ATIP Division in addition to the Security and Professional Standards Division, and 
outlines the roles and responsibilities of the Agency with respect to privacy breaches, which may include 
notification of the individuals, notification of the OPC, and the identification of mitigating measures, 
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The Directive on Non-Administrative Uses of Personal Information sets out the process, roles and 
responsibilities for the creation of a Privacy Protocol for those programs and initiatives the use personal 
information for non-administrative purposes, such as statistical reporting. 


In FY 2013-2014 the CBSA introduced an online awareness course on Information Management (IM) and 
ATIP. The course was jointly developed in FY 2012-2013 and seeks to educate employees on their IM 
and ATIP responsibilities. This course will be supplemented by current training activities, which include 
an in-depth session on the administration of the ATIP program at the CBSA, the development of PIAs, 
and Info Source training. 


Specific to TFWP and the ISA with ESDC 

The ISA between the CBSA and ESDC maintains strict clauses related to the types of information that is 
permitted to be exchanged, the method of exchange, security of information, accuracy, secondary 
disclosures, authorities for disclosure, and audit capabilities. 


Also, the ISA stipulates that each organization has designated a senior manager for issues related to the 
implementation and administration of the agreement. 


Risks and Mitigations Strategies 


No risks have been identified related to this principle. 


Within the CBSA 

The CBSA maintains its info Source chapter on its website at http://www.cbsa-asfc.gc.ca/agency- 
agence/reports-rapports/pia-efvp/atip-aiprp/infosource-eng.html. It conducts ongoing reviews of the 
chapter to ensure that it accurately and completely describes the personal information activities of the 
Agency. 


Specific to TFWP 

PIB CBSA PPU 050 (TFWP), CBSA PPU 035, and CBSA PPU 1402 accurately reflect the types of 
information collected, the purpose, legislative authority, and the consistent uses of the information, 
including the disclosure of information to CIC and ESDC for the purposes of administering the 
TFWP/FSWP. 

Risks and Mitigations Strategies 


No risks have been identified related to this principle. 
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Specific to TFWP 

Consent is obtained from the FN at the time he/she reports to a POE with the appropriate 
documentation. The individual reports for examination and when applicable submits an E-311 form 
which contains proper notice instructions. The individual has also been provided with adequate privacy 
notice provisions related to the Work Permit and has provided implied consent within the LMIA 
Application process. 


Also, by seeking inclusion in the TFWP/FSWP, the FN understands that his/her personal information may 
be used to administer and enforce the IRPA and IRPR, of which the CBSA has certain responsibilities. 


Risks and Mitigations Strategies 


No risks have been identified related to this principle. 


Within the CBSA 

Throughout the PIA process, the ATIP Division works with program areas to ensure that CBSA programs 
limit the collection of personal information to only that which is necessary to administer the program or 
activity, 


Specific to TFWP 

The ISA between the CBSA and ESDC enumerates the data elements that can be exchanged. However, as 
this ISA allows for information to be used for additional purposes than what has historically been 
permitted, it is important that CBSA staff understand the types of information which they can request, 
collect, and use. Furthermore, because the CBSA is negotiating further expansion of data exchange with 
ESDC, it is important that staff within CIP, CIU, IEOD, IOAD, and regional intelligence units are aware of 
the current limitations on what data can be requested and disclosed. in other words, that the current 
structure of the ISA does not permit CBSA staff to request or disclose information that is being 
negotiated for further expansion of the ISA. 


Risks and Mitigations Strategies 


Risk #1: There is a risk that personal information could be disclosed to/by the CBSA and used for a 
purpose that is beyond the scope of the ISA. Furthermore, there is a risk that CBSA staff may be 
unaware of the limitations of the ISA and that an offence provision within DESDA may apply to them and 
the CBSA if they disclose information received from ESDC in contravention to the ISA/DESDA. 


itigation: All relevant staff will be made aware of the parameters of the ISA and that disclosures to/by 
the CBSA must be limited to those authorized under the current ISA. Operational guidance will be 
developed and provided to staff that outlines the limitations of the ISA, as well as the applicable offence 
provisions within DESDA. In addition, measures to appropriately identify ESDC information held within 
CBSA systems will be introduced. 
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LIMITING USE, D 


nd 


SCLOSURE AND RETENTION 


Within the CBSA 

Throughout the PIA process, the ATIP Division works with program areas to ensure that CBSA programs 
limit the use, disclosure, and retention of personal information to only that which is necessary to 
administer the program or activity. 


in FY 2012-2013, the CBSA developed guidelines on the disclosure of customs information pursuant to 
$.107 of the Customs Act. These guidelines set out the specific provisions, their limitations, relevant 
considerations and the appropriate positions within the CBSA (employee, supervisor, senior manager) 
that can authorize specific disclosures or uses. Personal information that is also customs information is 
disclosed in accordance with s.107 of the Customs Act rather than ss. 8(2) of the Privacy Act. 


A similar set of guidelines for s. 8(2) of the Privacy Act was implemented in FY 2013-2014. 


Specific to TFWP 

The ISA between the CBSA and ESDC enumerates the data elements that can be exchanged, as well as 
the use and disclosure restrictions. To abide by the ISA, it is important for CBSA staff to be able to 
identify information which has been provided by ESDC so that such information can be subjected to the 
strict secondary disclosure requirements of the ISA. However, when data is provided through ESDC's 
Online Fraud Reporting Tool, requested and provided IEOD, 
IOAD, and regional intelligence units there are limited mechanisms within the CBSA to identify/mark the 
electronic information or the hard copy information as having been disclosed by ESDC. Therefore, it will 
be difficult for the CBSA to apply the secondary disclosure restrictions that are reflected in the ISA. 


Risks and Mitigations Strategies 


Mitigation: The CBSA will implement procedures to clearly identify ESDC records that are shared 
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Furthermore, BSOs will be made aware that restrictions to the sharing of ESDC information also apply to 
information obtained via the FWS-FOSS/FWS-GCMS one way interface. 


ACCURACY 


Within the CBSA 

Throughout the PIA process, the ATIP Division works with program areas to ensure that CBSA programs 
create a process for ensuring the accuracy of information as required, and that program areas are 
capable of handling requests for correction of personal information. 


The correction process is coordinated centrally from the ATIP Division. Requests for correction are 
forwarded to the appropriate program area for action. A response letter is sent to the client indicating 
whether the correction was accepted or refused, whether the correction Is made directly or notated to 
the file, and whether or not that information has been disclosed and that those recipients would be 
informed appropriately. The ATIP Division is looking at developing a more standardized approach and 
directive in FY 2013-2014 for the processing of correction requests. 


Specific to the TFWP 

TFWs who present themselves at the POE with a WP, positive LMIA report, or other documentation 
have their personal information matched with GCMS, which maintains an interface with FWS. Therefore, 
as with other identity matching procedures at the CBSA, BSOs are diligent in ensuring that the FN 
presenting him/herself at the POE is the same individual who has applied to CIC and/or ESDC for 
inclusion in the TFWP. 


Regarding the activities of CIP, CIU, IEOD, IOAD, and regional intelligence units, as part of their 
investigative and intelligence activities, procedures are in place to ensure accuracy of information before 
an administrative action is taken against the individual. 


Risks and Mitigations Strategies 
No risks have been identified related to this principle. 
SAFEGUARDS 


Within the CBSA 

Typically the ATIP Division strongly recommends the completion of a TRA and SoS as part of the PIA 
process, and directs programs to contact Corporate Security for guidance with respect to those 
instruments. A summary of the risks identified in a TRA are appended to the PIA to ensure that all risks 
are identified and mitigated by the program area. 


CBSA employees are required to take the online CBSA Security Awareness course when they begin 
employment, and to refresh their training every two years. CBSA managers are required to take both the 
CBSA Security Awareness course and a CBSA Security Awareness course for managers. 


The Privacy Breach Protocol complements existing CBSA security policies, and ensures that all security 
violations which include personal information are reported to the ATIP Division in addition to the 
Security and Professional Standards Division, and outlines the roles and responsibilities of the Agency 
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with respect to privacy breaches, which may include notification of the individuals, notification of the 
Office of the Privacy Commissioner, and the identification of mitigating measures. 


Specific to TFWP 

All relevant information systems at the CBSA have been through the Security Assessment and 
Authorization (SA&A) process (formerly the Certification and Accreditation) for the processing and 
Storing of Protected B information. 


Regarding the ISA, ESDC is responsible for developing and maintaining 

As ESDC is responsible for maintaining 

CBSA will ensure that no information is uploaded to the site 
until such time that appropriate security measures are in place. 


Separate from some data is This practice may change once 
the is in place; however, the : may involve information classified as Protected 
B or higher that must be sent via approved nethods. Also, emails exchanged between CBSA 
investigators and ESDC's TFWP regarding requests for paper copies of LMIA data (to support search 
warrants and prosecution) that is related to an ongoing investigation at CBSA should be considered 
Protected B information; these email transmissions may require 


Risks and Mitigations Strategies 


Risk #5: When information is needed by the CBSA to support legal proceedings (i.e. prosecution), a 
request is sent to ESDC's TFWP However, there may be instances where |. with 
investigative details designated as information are sent to ESDC 
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Within the CBSA 


: a y-a; /ret | foi D. iDrp, infasourte- pare: The , ATIP Division 
ensures that the descriptions of program privacy practices are kept complete and up-to-date. 


The Directive on Privacy Impact Assessments requires departments to ensure that PIA summaries in 
both official languages are made available to the public. At a minimum the summary must address 
section 1 and 2 of the Core PIA m CBSA PIA summaries are pum at http://www.cbsa- 


Upon completion of a PIA, PIA summaries are posted on the CBSA website, which also contains 
information on accessing personal information at the CBSA. 


Specific to TFWP 

PIB CBSA PPU 050 (TFWP}, CBSA PPU 035, and CBSA PPU 1402 accurately reflect the types of 
information collected, the purpose, legislative authority, and the consistent uses of the information, 
including the disclosure of information to CIC and ESDC for the purposes of administering the 
TFWP/FSWP. 


Also, a PIA Summary will be authored and submitted to CBSA ATIP for approval and posting on the CBSA 
website. 


Risks and Mitigations Strategies 
No risks have been identified related to this principle. 


INDIVIDUAL ACCESS 


Within the CBSA 

The CBSA maintains a robust and responsive ATIP program. The ATIP Division implemented a more 
rigorous records retrieval process in November 2011. The process improved the accountability of 
records retrieved by actively engaging CBSA directors. In combination with the ATIP Division's training 
regime, CBSA employee and management ATIP awareness has increased considerably. 


Specific to the TFWP 
When required, BSOs and all relevant staff involved in TFWP/FSWP respond accordingly to ATIP 
requests. 


Risks and Mitigations Strategies 


No risks have been identified related to this principle. 
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Within the CBSA 

The ATIP Division is primarily response for coordinating responses to privacy complaints that were 
submitted to the OPC. Incoming complaints are assigned to an ATIP officer, who in turn tasks the 
appropriate program area to provide records relevant to the complaint, draft a response to the 
complaint, and if necessary, institute measures to resolve the complaint (if a response is not sufficient). 


The ECM program is responsible for coordinating responses to service-related complaints received via 
the online feedback form. 


Specific to TFWP 


When required, BSOs and all relevant staff involved in TFWP/FSWP respond accordingly to ATIP 
requests. 


Risks and Mitigations Strategies 


No risks have been identified related to this principle. 
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2 — identifying 
Purposes 


| 3 — Consent 


| disclosed to/by the CBSA and used for a purpose | 
| that is beyond the scope of the ISA. Furthermore, 
there is a risk that CBSA staff may be unaware of the 
limitations of the ISA and that an offence provision 
within DESDA may apply to them and the CBSA if | 
they disclose information received from ESDC in | 
| contravention to the ISA/DESDA. | 
Introduction/Annex J : | 
| Mitigation: All relevant staff will be made aware of 
Sections 4.2 and 4.3 the parameters of the ISA and that disclosures to/by 
the CBSA must be limited to those authorized under 
the current ISA. Operational guidance will be 
| developed and provided to staff that outlines the 
| limitations of the ISA, as well as the applicable | 
offence provisions within DESDA. In addition, 
measures to appropriately identify — ESDC 
information held within CBSA systems will be 
introduced. | 


4 — Limiting 
Collection 


I aa naa 


E 


v 


ESDC pursuant to the ISA may be disclosed to a | 
third party in contravention of the disclosure | 
clauses of the ISA. Currently, information 

received from ESDC may not be appropriately | 
identified/marked as originating from ESDC, | 
and subject to the unique disclosure | 
restrictions of the DESDA. 


2 section 4.3 TEE | "- | j 
Mitigation: The CBSA will implement procedures | 


to clearly identify ESDC records that are shared 
| pursuant to the ISA. This will apply to both 
| paper records and data that are stored in CBSA 
systems. Furthermore, BSOs will be made 

aware that restrictions to the sharing of ESDC 

information also apply to information obtained 
| via the FWS-FOSS/FWS-GCMS one way 
| interface. 
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‘Principle  Risk# | PIA Section I petals _ o | 


i. 
E 


] | to exchange Protected B information. ^ 
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| The current disclosure of information by ESDC tothe 
: | CBSA via the Online Fraud Reporting Tool is not 
, | | transmitted to the CBSA 


i j j 


When 
ESDC staff complete the CBSA Lead Referral Form, it 


4 Section 4.3 may 


| When information is needed by the CBSA to support | 
| legal proceedings (i.e. prosecution), a request is sent 
| to ESDC's TFWP via However, there 
| may be instances where ith investigative 
| details designated as Protected B information are 


sent to ESDC v 


5 Section 4.3 


: Mitigation: The CBSA and ESDC will make every 
| | reasonable effort to ensure that the transmission of 
| | | information via utilizes : when it is | 

| necessary. 
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i 
H i 


Canada Border Services Agency 


e 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information 


CBSA - Released under the Access to Information Act. 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


esc cement saeco mr 


TEWP ISA with ESDC | PIA 


List all supplementary documents that support the conclusions of this CBSA Privacy Impact Assessment. 
For each document, cite the specific sections of the documents (subject, chapter, page, paragraph, etc.} 
that correspond with the CBSA PIA and link them to the PIA sections. 


| Scope of the PIA is related t 


ng Agreement | 
| this PIA uu | 


| Entire Document 


| Information Shari 


ERR 
H 


2011 PIA on. MOU (Data Sharing for Entire Document | Introduction, Section D 
TFWP Between ESDC and the CBSA) | | | 
n "-—— ÁN ME RN ae 


——Á" 


The following signature represents a 
commitment to comply with sections 4 to 8 of 
the Privacy Act and the related privacy policy 


requirements outlined in the CBSA PIA as they 


relate to the administration of the identified 
program or activity. 


ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


The following signature represents a commitment 
by the Head of the institution or his/her 
delegate(s) who is responsible for establishing 
personal information banks in accordance with 
section 10 of the Privacy Act. 


Date 


Note: Responsibility for sections 4 to 8 of the Privacy 
Act rests with all employees of government 
institutions that handle personal information. Officials 
who manage such programs and activities are 
responsible for ensuring that such requirements are 
implemented as part of the administration of the 


program or activity. 
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Under the Privacy Act, the Head or his/her 


Note: 
delegate(s] is responsible for complying with legal and 
relevant privacy policy requirements related to the 
approval and registration of personal information 


banks 
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| Annex À Privacy Compliance Checklist and Other Considerations 


Note: The table below must be used to keep an account of actions completed and to track outstanding actions required to 
achieve privacy compliance: 


Privacy Action required to support legal and policy compliance Done Tobe 
Compliance (cross reference to relevant question of Section 5 — Privacy | done 


Analysis question Compliance Analysis) 
H 


1 Legal authority for the program or activity has been established and is 
reflected in the relevant PIB. 


2 a) The categories and elements of personal information to be 
collected for the new program or activity have been carefully 
assessed based, for example, on the CBSA's experience gained with x 
the administration of a similar program or activity. The personal 
data collected will be limited to only that which is required.) 


b) Categories and elements of personal information have been = 
described in the relevant PIB for the program or activity. 

c) Controls and procedures will be implemented to ensure the CBSA 
does not collect more personal information than necessary for the 
program or activity and that a continuing need exists for the 
personal information and its collection. 


Aand 5 a) All of the requisite “Privacy Notices” and "Consent Statements" 
that meet the requirements of sections 6.2.9 to 6.2.12 of the 
Directive on Privacy Practices have been drafted. (Texts of the 
notices and consent statements must be included as an annex.) For 
a copy of the CBSA Privacy Notice and Consent Statement 
template, contact the ATIP Division. 


b) Controls and procedures have been implemented to keep records 
of individual consents, and to ensure that persons acting on behalf 
of individuals who do not have the capacity to provide consent 
have the authority to do so under section 10 of the Privacy 
Regulations. 


7 a) A Records Disposal Authority (RDA) has been approved by Library 

and Archives Canada to authorize the disposal of the records [X] [| 
containing personal information for the program. 

b) Controls and procedures have been implemented within the [x] LT 
program or activity and the CBSA ATIP Division to ensure that 
information that has been used for an administrative purpose will 
be kept for the minimum retention period established by the 5d E 
Privacy Regulations. a 

c) Reference to the RDA, the retention period and the disposition 
standards for the program have been cited in the relevant PIB. 
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Action required to support legal and policy compliance 
(cross reference to relevant question of Section 5 — Privacy 
Compliance Analysis) 


Controls and procedures are in the process of being implemented to - 


ensure that the personal information associated with the program is 
as accurate, complete and up-to-date as necessary. 
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PIA 


Done Tobe 
done 


Other Privacy Considerations related to specific principles that are not explored in the previous 17 sections: 


(these considerations should be explored in the Executive Summary) 


Describe how the results of any privacy impact assessment or audit 
will be made available to the public. The Executive Summary will be 
published on the external CBSA ATIP Division website at 
http://www.cbsa-asfc.gc.ca/agency-agence/reports-ra pports/pia- 
efvp/atip-aiprp/pias-sefp-eng.html 


Are policies and practices relating to the proposal's management and 
handling of personal information available to the public? 


is there a communications plan to explain to the public how personal 
information will be managed and protected? 


Is there a clearly defined and easy process for individuals to access 
such information and/or communicate with appropriate individuals 
with respect to policies and practices relating to management and 
protection of personal information? 


Where appropriate, will public consultation take place on the privacy 
implications of the proposal? N/A 


Is the system designed to ensure that an individual can have access to 
his/her personal information, including all other programs or 
applications that have received copies of the information? s. 12(1) 


Are there documented procedures developed or planned on how to 
make privacy requests or requests for the correction of personal 
information? s. 12 (2) 

Are individuals provided with access to their personal information in 
the official language of their choice? s. 17(2) 

If appropriate, are individuals provided with access to their personal 
information in an alternative format? s. 17(3) 

Are the complaint procedures for the proposed program or service 
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Privacy Action required to support legal and policy compliance Done Tobe 
Compliance (cross reference to relevant question of Section 5 — Privacy done 


Analysis question Compliance Analysis) 
H 


Compliance consistent with legislated requirements? s. 29-35 


To improve information management practices and standards, has a 
procedure been established to log and periodically review the nature, 
frequency and resolution of complaints? 


Are there oversight and review mechanisms implemented or L] 
available to ensure accountability? 


Have oversight agencies, including the Office of the Privacy  [] [| 
Commissioner, issued reports or opinions on issues that would be 
relevant to the proposal? N/A 
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: Annex B: Office of the Privacy Commissioner Expectations 


in their March 2011 document, Expectations: A Guide for Submitting Privacy Impact Assessments to the 
Office of the Privacy Commissioner of Canada, the Office of the Privacy Commissioner (OPC) has 
expressed the importance of analysing the risks of the project, program or initiative against the ten 
universal privacy and fair information practice principles of the Canadian Standards Association Model 
Code for the Protection of Personal Information. 


The most relevant demonstration of the privacy risk and compliance analysis is the action plan. The OPC 
has said the following in their Expectations guide with respect to the action plan: 


Once privacy risks and their proposed mitigating measures have been identified, we expect to 
see an Action Plan drawn up by the institution, indicating a specific time frame for remedying or 
mitigating the risks that have been identified, and if possible, naming a specific person or staff 
position accountable for taking action. 


The action plan must list all privacy risks and compliance issues identified in the PIA and supplementary 
documentation. All risks and issues must be organized by the 10 universal privacy principles. 


All recommendations and proposed mitigation strategies must also be described in the action plan. 
identify the responsible program area and the timeline for completion or implementation of the 
strategy. The ATIP Division will provide programs with an action plan template to be addressed near the 
end of the PIA process. 


The expectations of the OPC for each privacy principles are included below for your reference. 


Accountability 

Under this principle the OPC would expect to see documentation of an administrative structure for 
privacy, including input from legal services, access to information and privacy and information 
technology branches within an institution, with defined processes for determining when new projects 
require PIAs, for carrying them out, implementing mitigating measures and auditing for assurance of 
compliance. We expect PIA reports to be signed off at the appropriate level, and that training In privacy 
issues and procedures has been documented and is refreshed with employees regularly; and that 
privacy protective language is included in all contracts with third parties handling personal information 
in accordance with TBS guidance documents and internationally accepted best practices; and that 
regularly scheduled privacy compliance audits will be undertaken and the findings acted upon. 


Identifying Purposes 

The Privacy Act restricts federal government institutions to the collection of personal information that 
relates directly to an operating program or activity of the institution, so we would expect to see a clear 
description of the program and why each piece of information is needed; a description of the legislative 
authority for the collection; a clear listing of all the data elements collected; copies of any relevant 
documents such as application forms identifying the purpose for the collection or on-line notices of use; 
a copy of an up to date Personal information Bank (PIB) description; a statement of any proposed new 
consistent use of information previously collected and a clear rationale as to how the use is reasonable 
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and directly connected to the original collection -- this may include an analysis of how an individual to 
whom it relates would reasonably expect it to be used for that purpose; a statement outlining any 
intended secondary uses of the information; whether the information is collected directly from the 
individual and if not, why; and a description of how personal information used for planning, forecasting 
or statistical purposes would be anonymized or de-linked from individual identifying information. 


Consent 

This is closely tied to the Identifying Purpose principle. Under this principle, OPC would expect to see a 
copy of notification language on forms or websites; a clear description of the purpose for collection; a 
rationale for not seeking consent, as is provided for in the Privacy Act; for web sites, a copy of the 
Privacy Notice Statement under which personal information is submitted to the institution. 


Limiting Collection 

Under this principle, OPC would expect to see a clear justification of the need for each data element 
collected, in keeping with the requirement of the Privacy Act that no personal information is to be 
collected by a government institution unless it relates directly to an operating program or activity of the 
institution; an indication that a data minimization exercise has been undertaken to ensure that each 
data element is necessary and that this exercise will be refreshed regularly; and that information 
coliected from another department for a secondary use will be purged of all but the essential data 
elements before use. 


Limiting Use, Disclosure and Retention 

Under this principle, OPC would expect to see a description of the specific uses and proposed 
disclosures of the information; a clear statement limiting the use of the information to the purposes 
identified; a clear retention policy and disposition schedule that is also noted in the PIB; a process for 
destruction of the information that is in keeping with the Privacy Act and Regulations; copies of MOUs 
or agreements with third parties to whom information is disclosed governing its use, retention and 
disciosure, and clauses with contractors or sub-processors of information indicating the originating 
institution has the right to audit for compliance with privacy provisions. 


Accuracy 

Under this principle, OPC would expect to see a description of the process used by entities to ensure 
accuracy, particularly when administrative decisions are made; a description of how changes to records 
are logged and monitored; a statement of whether automated decision-making based on risk profiles is 
being undertaken and how automated decisions are vetted for accuracy; an explanation of the 
processes open to individuals seeking to correct information; a description of the process by which 
second or third parties to whom information has been disclosed will be notified of changes and 
corrections to the record; and a description of how audit trails of records transactions are monitored 
and evaluated. 


Safeguards 

OPC would expect to see under this principle a description of the physical and electronic safeguards that 
are in place to protect information; a Threat & Risk Assessment (TRA) with emphasis on privacy risks and 
concerns and a discussion of how these concerns have been remedied or addressed; a notation that 
encryption is used for personal information both in transit and at rest; a description of how system logs 
of information transactions are monitored for inappropriate use, including viewing of the information; 
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policies for the use of portable storage devices such as flash drives; a description of role-based access 
controls; and a description of the steps taken to ensure complete destruction of the information at the 
end of its life cycle. 


Openness 

Under this principle, OPC would expect to see a summary of the PIA written in plain, understandable 
language, posted on the institutional website in a manner accessible to the general public and 
containing a link to the relevant PIB description in CBSA Info Source; for particularly sensitive or privacy 
invasive programs we would expect to see the public communications plan described in the PIA, 
including a variety of methods such as posters, brochures and media announcements as well as detailed 
discussion of the PIA in the institution's Annual Report under the Privacy Act; a description of 
consultations with key stakeholders and the privacy risks or concerns raised should be readily available 
on the website; the name and contact information of an individual accountable for the handling of 
personal information should be easily obtained through the website or by calling the institution's main 
public number. 


individual Access 

Under this principle, OPC would expect the PIA to include a description of any informal process the CBSA 
may have in place for access to and correction of personal information; an up to date and 
comprehensive description of information contained in the PIB corresponding to the initiative; a 
description of the process by which information in the hands of third parties is corrected following 
requests; a description of how the general public is made aware of these processes, for example, by a 
link and/or a toll-free number shown on the home page of the institutional website. 


Challenging Compliance 

OPC would expect to see the PIA address this principle by indicating clearly who is responsible for 
receiving and resolving privacy complaints; describing complaints that may have been received in any 
similar activity or pilot project and how they were handled; including privacy issues in project 
evaluations or feasibility reports; describing how and when compliance audits for privacy will be 
undertaken; including information on how to file a complaint with OPC under the Privacy Act; and 
reporting in some detail on specific and/or systemic privacy issues in its Annual Reports. 
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al Information 
The Description section in a personal information bank (PIB) describes the personal information 
in the records to which the bank relates. Treasury Board Secretariat has established the 
following categories of personal information, which give examples of specific elements of 
personal information that fall under each category. The purpose of the categories is to reduce 
the number of personal information elements that need to be listed in the Description section. 
These categories are representative of the personal information collected by most institutions, 
and they now appear in many of the CBSA registered PIBs. The ATIP Division modified the 
original list to reflect CBSA business lines. 


e Biographical information (e.g. work history, curriculum vitae, family information, 
Passenger Information, etc.) 

e Biometric information (e.g. blood type, eye or facial scan, DNA, finger / hand prints, etc.) 

e Contact information (e.g. work and / or home information, including postal and e-mail 
addresses, telephone, fax, cell phone numbers, etc.) 

e Citizenship status or Nationality (e.g. citizen, landed immigrant, etc.) 

e Crew detailed information 

e Criminal checks / history (e.g. information related to criminal record checks, 
investigations, charges, conviction dates and locations, pardons, etc.) 

e Date of birth 

e Date of death 

e Destination City 

e Employee identification number (e.g. Personal Record identifier) 

e Employee personnel information (e.g. records of attendance and leave, notices of 
disciplinary action, alternative work arrangements, decisions concerning compensation 
and fitness for work, official languages qualifications, salary, deductions, level of security 
clearance, performance reviews and appraisals, rating board assessments, including 
evaluation notes from staffing boards, training and development course applications 
and evaluations, etc.) 

e E-Ticket Information 

e Financial information (e.g. income, investments, mortgages, loans, orders of 
garnishment, financial institution information for direct deposit and other banking 
purposes, including name and branch number of institution, account number(s) and 
name(s) on accounts, etc.) 

e FOSS Case Number 

e Gender 

e {tinerary Cities 

e Language (e.g. mother tongue, official and other languages, etc.) 

e Medical information (e.g. psychological assessments, blood type, etc.) 

e Name (e.g. last name (surname/family name), given names (first, second or more), 
maiden name, nicknames, aliases, etc.) 

® Opinion or views of, or about, individuals 

e Passenger Name 

e Passport Number or Travel Document Number 
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e Place of ticket purchase 

e Photos 

e Physical attributes (e.g. height, weight, color of hair and eyes, physical markings (scars, 
tattoos, body piercing), etc.) 

€ Place of birth 

e Place of death 

e Port of Embarkation and Port of Debarkation 

e Signature 

e Special Travelling Considerations such as Employee Pass, Buddy Pass and Parental 
Passes 

e Visa Number 


Canada Border Services Agency 


ASFC - Divulgation en vertu de | 


n vertu ce la lol sur l Acces a l'Information. 


TFWP ISA with ESDC 2 PIA 


* 


Annex D: Labour Market Impact Analysis Application 


Employment and Emploi et Please Print 
Social Development Canada Développement sone! Canada PROTECTED WHEN COMPLETED - B 


LABOUR MARKET IMPACT ASSESSMENT APPLICATION 
HIGH-WAGE AND LOW-WAGE POSITIONS 


Personal Information Collection Statement 


The information you provide on this form is collected by Emp 
nee er Protection À ; 


ment en d Social Development Canada (ESOC) under the authority of the immigration aed 
és Protection Regulations (IR? RT, for the purpose of providing a Labour Market impact Assessment 
iuntanry; however, failure to complete this form will result in your LMIA application not being 


Tha information you provide may Se shared with Citizenship and immigration Canada (CIC) for the administration and enforcement of the [RPA and IRPR as 
permitec by the Department of Employment and Sociai Deveiooment Act (DESO ACU, and May be accessed by the Canada Border Services Agency (CBSA) 
for the purpose of issuing work permits at Parts of Eniry. ESDC may also provide information 16 CBSA in order for that agency to Investigate and enforce the 
REA and IRPR in relation fo an LGA. 


Ihé information may also be shared with provincialhemitoria! governments for the purpose of administration and enforcement of provinciaitemtonel legislation, 
meuding emplayment standi |f and sey legislation as perrulied by the DESO Act. The Information may also be used by ESOC for 


ndarja and occupational healt ife S 3 
inspections, policy analysis, research and evaluation in relation to the entry and hiring of TEWs to Canada or fhe REA, 


a 


pes 


RUE 


ration and Refugee Protection Act | 
pre iding inaccurate information, in the context 
9 access the Program for a period of two years. 


2. Canada Revenue Agency Business Number (first 8 digits are mandatory for | 


Caran 


ian businesses): 


| 4. Business Oneraling Name: 


7, Prewince/State: | &. Country: 


11. Business Address (if different than mailing address): 


13. Province/State 


ct aii ing appiy 


progrietor ether, specify 


Due D] Yes 


yes, is ihe corporate head offica aware of this application for temporary foreign workers (TEAN? 


Provide the name of the corporation: 


18. Date Business Startec: 


18. Website Address: NY 
S. VWeosite Address OY YY-MM-DDI 


Shag kt 


STR 


NONE 
ESDC EMP5802 (2015-02-0013 E Page 1 of 14 Cana: dà 
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2. dob THe: 


21. Primary Contact Mame. — 
First Midge Last 


| 23, Contact Phone Number: Ext. 


ARR SEE 


RR 


26 P referred Official Language af Correspondence: 
: = Tan | M Sede 


oo eon E AA re ————— 


2 Name of third- eny. recruiter or employ Tenis sgenoy: 


| 1 Are you Using xvm ACES ota Depart recruiter e emp! ioyment a agency for the 


purpose of WD a TRY? 


Yes  ifyes, complete the boxes on the right 


Note: 
in some provincesiterritories it is mandatary to be registered in order ta recruit 
TFWs on ini a an SH AS more ied visit: 

www exce ie 


3. Registration, license or certificate riumber 


ting this applications form | 5. Name of third-party representative: 


&, Are you appointing à ture party io represent you in zempieli 
| of to provide advice in en immigration process? 


Ld No 


&. A number of provincesteriones prohibit the c harging ug cruiiment fees to TES f foc the purpose ots securing a jon offer. Have you the employer or any 
other third: party it connection to this job offer ie cde pág nent from the TRYS to secure this offer of employment? 


a Yes IN 
konst 


= Yes if yes, complete Schedule A - Third-party representative 


à LE —À i T ARENE EES T E EE M M MEE CM ME C 
1. Number of f employees S currently employed national; ty under this Canada Revenue Agency Business number (e.g. 5 franchises are covered 


i c the business number and inere are a total of 100 employeesy 
SORA NEN RP NI I TIER NER 
2. Total aimbe of empioyses currently em iuc d at the work location specified on this forme 


' 3. Total number of Canadian/permanent resident empioyees at the work location specified on cue form: 
eee ae . 


4. Total number of employees (including Canadians/permanent residents and TANS working in [his occupation at this work location. 


€ L MIA) at ilie work ead specif led: on this form 
MoSHive LM T" in the ta st two years, prior te December 3 31,2013 


i 2. Total number of TEWs (as the result of receiving a 


&. Did you e 


f 


Tes P001 No 


— €: 


Ei did you g 
-Stantialiy the så 


M 


H 
H 


and employed a TFV in that position? 


H8 YES — did you provide al! TFW's employed by you, on LMAS received on or affer Dec ember 31, 2013, with employment in the same occupation as 
described in the ofensi of employment (and confirmed in ihe L MIA letter(s) end annexeisp and with substantially the same wages and working con ditions 
- but not less favourable than- those set out in that offers) of employment (and confirmed in the LMIA letters) end annexes)? 


n 


Nota: 


Emptoyers Should be aware that with recent changes to ine immigration and Refugee Protection Regulations, the look back period has changed fram 2 to 
8 years. However, this change is na retroactive and, tieretore will not be fully implemented until January 2020. 


s from the date you submited this application? - 


Po. Have you had an L MIA revoked wi itin the previous 2 3 


+ he |] Yes 


| yes. was the LMIA revoked because you had provided false. misleadi ing or inaccurate information in the contest of a request for an opinion. 


No i | YES if yes, please provide the following details regarding this revocation: 


Date (YY Y Y-MM-DO Sy 


if ihe public policy erations that justifled the revocation are na longer relevant, please provide a detailed ezpianatian: 
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| 5. Were any employees isid off in the past 12 months? | 
| iL. No 
_ Yes H yes, how many Canadians/permanent residents? How many TFWs? 
Rensonis) for layoifisi and occupations affected: 
: siness receive support through Employment and Social Development Canada's Work-Sharing program? 
p.i; NO 
Yes If yes. provide details: 
| JOB OFFER INFORMATION 
| E you are requesting an 1 MIA to fill multiple jobs for the identical posilion/occupation, provide the job offer information onty ance. 
| However, if there are multiple jobs for different positions/occupations, use a separate application form for each unique position/occupation. 
Lo rt rm a 
i Are you applying for an LAIA tohire a TFW in a Caregiver position? ^ «NG i Yes 
if yes, employers hiring: 
j * an In-home Caregiver must complete this fons and Schedule G - In-Home Caregiving Occupations. 
: * @ Caregiver io wak in a Health institution must complete this form. 
Fe a an aa NN de in EE en a nnn nN —————— RR Ach pr aaa hth apap pa mane 
| 2. Job Title: 3. Number of TFWs requested for thi ip description, 
l iocalion, etc.) 
i 4, Expected employment duration 
| Days weeks months years 
&. Provide exact location where the TEW will be working inumber and street address} 


. Bachelor's degree 


VERI 


| Trade dipiomasicertificate | | Secondary school 


| Vocational schoo dintema/cartificate 


No formal education requirement 


i 
| 


Agdiienal Information 


i —— — M— — ARS nn 


te. Minimum experience/skits requirements of the job: Gnude years of experience and/or occupational designations such as CA, CMA. CGA RN. D ) 
13, indicate the language requirement stated in the offer of employment: 
| | English |j French . , English er French — || | English and French 
1 MÀ . " "PRA ; , EO em B " TE E 
i : i The offer of employment requires the ability to communicate in writing in: 
| | English ..; French |, English or French : English and French 
Ory | iam 7 EOS PRA Page 3 ot i4 
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PEM a am m I APPETIT SPIRI io 


i The offer of employment requires the ability to communicate in a language other than English or French. 


if this option is selected. identify the specific language needed and clearly describe why this is a bona fide employment requirement for performing the 
duties associated with the employment, If insufficient space, attach a separate signed and dated sheet. 


14. agen Canadian E chars and number of work hours: Note: Employers must provide the! 


caiculalion of an hourly rate. 1 
£i SUE. | Der Vii Es : 
| $ per hour $ per year Number of hours Total number of Total number cf | 
i per day hours per week hours cer month | 
| | 
i Ovenime rate of $ | starts after | hours of work per week i 7 : 


tat a a 


15. Whatis the wage range tor these employees Curreniiy working in this occupati ian at this work location 7 


ere are no employees current! 


seorking in 
üon 


Lowgage: $ eur High-wage: $ four OR | : ELA 
€ ———————SO NB OT AT a a aa aE AEA Li this occupation at this werk foce 
pM 


Qe, 


2 pay periods thal have occurred within the S weeks pror to suami thing | me application. 


it of business days per year} OR Remuneration: i*& oi gross salary) 


employment (al least 58 hours of work per week) throughout the duration of employment covered by the LARA ? 


s Ben efits: 
^ | Qisabilily insurance ^ | Dental insurance “~~ Pension ^7 Extended medical Insurance (e.g. prescription drugs, paramedical senáces, 
e IY | eed dois M '— medical services and equipment) 


ncialterritonal certification, | 


ensing or registration red deements for thís job? 


— TSS qf yes what is the name of the certifyingticensing/registering body? 
Will the the TEW R ve ail required certification. ice Sing, or registration pior to entering and starting werk in Canada? 


L No  ifno indicate the anticipated pedo: of time to acquire all of the required qualifications after starting work 
Days WRERS months 


|] Yes ifyes the TFW must have proof that he/she already has all the required qualifications. 


Note 

Securing the necessary documents to practice in Canada is the employer's and the workers responsibility. CH must be in bis that the skilled workers 
&re capable of performing the employment being offered to them. CIC will check to ensure the skilled workers hoid ine required certification. or icense to 
practice in g regulated occupation i in Canada. if the applicant is not certified ar licensed, CIC will assess whether the applicant à is kely to qualify for 
üicensing/certification when in Canada. 


SS is the position part ota | urdon ? 


No | | Yes  ifyes, what is the name of the union and the focal? 


1 
1 

H 

Ce — 
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me x ie AAA rii TITTLE IE arr e E VAR RR ne PEET I 


Has the union Geen consulted about the hiring of a TEV? 


(2 No if no, explain 


Yes if yes, whai is the position of ihe union? Provide details and attach documentation. f available 


25. Have you altempted to ecruit Canadiansipermanera residents for this job? 


E Mo ng, explain. 


— 


m Yes ifyes, you must provide proof of recruitment (eg copy of advertisements and information to support where, when and far how long the 
—i position was advertised]. 


In addition, if you advertised on the Job Bank (or the provincialterritoria E equivalent), provide the order number 


| 24, What are the potential benefits to the Canadian labour mark etf for offering this job toa TRAMs}? 

| Filing a labour shortage | Development or transfer of skills and knowledge for the benefit cf Canadians/permanent residents 
| | Omer || Direct jc creation or job retention of Canadians/permanent residents 

i be 

i Provide Details: 


——————————————————— 


the iob offer you are making tothe TRA! s) and describe ^ hos this wi meet your empioyment needs: 


&. Da you plan to hire or yan 


Canadians/permanent residents for the positionis) for 


No fno, explain. 


Yes if yes. provide a brief description of the training plan. 


Na, but i will assist by doing the following: 


i per month 


Yes Ifyes, please indicate the rent: CADS _ 


and describe the type of accommodation: 


Not applicable 


nna 
E [XM - Fragt R " : i any ans: em F E a n 
: MNumDer of n a received from Canadiansfpermanent iz ae of í Canadian/permanent resident applicants intendewed 
residents: i 
| DENIED NI et EE ERE RR RE | 


| 3. Number of Canadiansi/permanent residents offered the position: 4. Number of Canadians/permanent residents hired: 


NT 
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ee EEE EE ET IA A n TI re NUITS EI PA SEA EE i e PRAE pisses PES 


8! Number af Canadian/permanent resident applicants who were no t qualified 
for ine job: 


aisant, provide an expansion c as to whythe candidate cid not meet the requirements o the position, if 
ree sary. Slaka a separ te sheet, te in aot provide the names of the candidates (e.g. applicant #t — has not co mpieted the apprenti 
donem and erie: cannot work as a joume yperson, applicant #2 — (unable to communicate in English ta the level required for service in a fast paced 
environment). 


ship 


aan 


M 


} 
| Thera are 2 possibilia paths for employers to iran sition to a Canadian workforce. The path that an employer must follawis determined by the wage 
being offered to the TFW for the position, in relation to the provincilal/terrítarial median hourly wage, based on Statistics Canada's Labour Force 
Survey (2014). 
Exemptians: 
The requirement to transition to a Canadian workforce is not applicable to employers who are hiring TF Vs for: 


* Of-farm primary agricultural positions, specifically 

* farm managers/supervisers and specialized livestock workers (NOC 8251, 8252, 8253. 8254 and 8258); and 

* general Tam workers, nursery and greenhouse workers and harvesting labourers (MGC 8431. 8432 and 4644 23 
* Caregiver positions i a: 

* private household (NOC 2152, 2233, 3413, 8741 and 64741 and 


Ec 


* healih care facility (NOT 2182, 3233, 3413 and 8741). 


* positions where they are submitting an application to exclusively support & 
wil not be applying for & work permit). 


Vs permanent residence under an Express Entry proc 


d 
£t 
E 
z 
TAE 
et 
n 
zi 
Ti 


* positions in highly mobile industries or accupations when the 


* workforce regularly crosses interjurisdictional boundaries (e.g. provincial, territoriai and mternational) as part of ihe business’ 
ongoing operations or the international mobility-based nature for an occupation; and 


* position wil not be filed after the worker leaves. and 


+ position is for 120 days or less, 


Note: 
i5 exceptional circumstances the position can be for a period cf more than 120 days when the entry of TFYVs has impii 
anms pulsic heat and safety. 


shes wage YOU are e offerin :g for the position at or above the provi edian hou 


ty wage in the provinc cet mitory wi nere the ibi iS tocated? 


| Ó No if ne, complete the following Section À — Cap for Low-wage Positions 
i Yes i1 yes, skip to Section B — Transition Plans for High-wage Positions 


pu overs hiring TRAYS and ‘offering a wage that is below the crovincialterntorial median hour srl wage will be subject ios maximum 1 095 Cap n y the proportion 
of these low-wage TRANS. The cap will be phased in over the next 7 years to provide employers who use the program with time to transition to a Canadian 
wondonce. 


| nel e that have a low-wage TEW workforce will be subject to an established eap, which is the lesser of their currant percentage of TES in low-wage 
: pos d 9f 
30% as of June 20, 2014 
2096 as of July 1, 2015; and 
1099 as of July 1, 2015. 
ESOC EMPS502 (2015-03-0043 E Page B of 14 
RU SR a EŇA a auaşġěüĚl a 


Canada Border Services Agency 


CBSA - Released under the Access to Information Act 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information. 


TFWP ISA with ESDC | PIA 


Exemptions to the Cap Requirement: 
There is ane exemption to the low-wage cap requirement. Employers should check the box if the following is appücabie ta their business: 
EAM MEL business has fewer than 10 employees nationally, including the position ta be staffed with TEWS: 
Employers, who are exe from the Cap requirement, qo to the IMPACTS ON THE CANADIAN LABOUR MARKET section. 
Empioyers, who are NOT exempt from the Cap requirement must complete Schedule E - Cap for Low-wage Positions. 
j Section B - Transition Plan for High-wage Positions 
| The Transition. Pla: nisa | mandatory require for all ‘employers applyin 
; above the provinci ialterritorial median hour: Age. 
; Rationale For Possible Exemption: 
To be considered for an exemptioi ilt having to provide a Transition Plan, the employer must complete this section and 
| provide a justification on how they meet the criteria indicated in the following question. Exemptions will be conside ered lona 
| case by case basis. 
| Employers who are NOT exempt from the Transition Plan requirement must camplete Schedule C - Employer Transition 
Pian. | 
: | 
What are the requirements of the position? Select all of the exemption criteria that apply to the. position specified on this 
LIVIA. 
—; The position has a limited duration which means - the job is time-limited and will! no longer exist after ine TEW leaves. 
The vemploytegt 8 duration is: 
j| 110120 days (e.g. emergency or warranty work) 
| j More than 120 days to a maximum of 2 years (e.g. non-recurring project-based positions) 
| The position is exempt under the Quebec Facilitsted Process 
(Note: Under the Faciitated Process, a Transition Pian is only required on the second LMIA application for the same occupation.) 
: Provide details: 
IMPACTS ON THE CANADIAN LABOUR MARKET i |' W|V[CCvCU*É v 
The questions in this section are to be completed by aii employers. The. response to these questions will assisi the Program to determine the im 
empioyment of temporary foreign workers will have on the Canadian labour market. 
| For the purpose of the Program: 
Offsharing - is the relocation by a company of a business process from Canada to ancther country, This would include an operational process, such as 
| manufacturing, or supporting processes (e.g. accounting oc IT services), More recently, offshoring has been associated with technical and administrative 
| Services supporting domestic and global operations from outside Canada. 
Outsourcing - is the contracting out of à Canadian business process to a foreign or Canadian third party or ganization resulting in the entry of 
; Temporary Foreign Workers into Canada. 
j 1. Will the entry of hese TF Vs lead to job losses, now or in the: foreseeab! ie future, for C en anadi ans/permanent residenis as a resuit 
| Oliay-GHs, outsourcing. offshoring or other factors related to utilizing TFWs? 
| FT Nb 
2. 
| m Yes if yes, provide a summary of the impact c hiring these TFWs, on your workforce (e.g. lay-offs, relocations) and the Canadian workforce more 
E generally 
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^ issue nnm nme 


that will facilitate outsourcing or offshoring? 


z. is this jab offer related ta an activity, contract or a subcontract 


i Mo  Iifno,golothe next section 


|o | Yes If yes, you must 
- complete the Toiicwing questions (ato c) and 
-have each employer with whom you have a contractual arrangement to provide services, complete a separate 


Schedule B - impacts on the Canadian Labour Market. — N » - 


&.) Provide a summary of the contractual arrangement setween the employer of record and the company receiving sendces including (but not Emited 
toj information on: the purpose and scope of the areect, the project timelines, the expertise required, and ihe summer of Canadians and permanent 
residents working on the praiect. 


pact Assessment-exempt processing stream? 


; where a foreign nalional has € 
- cd) Provide a summary of the impact of hiring these foreign nationals on Cenadians/pe in the company receiving 
| services under this contractual 
- ILMA po D BEEN 
= Tyce of Production: ~ 0 i 


&. À copy of the contract between the employer and the foreign entertainer must be mci TV requests. 


| isthe contract included with application? [Yes The ifno, please explain: 
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reves, 


| TEMPORARY FOREIGN WORKER INFORMAT! ON 


" you are hiring more than one TFW, use separate sheets to identify each KOKA coming to work tor you in Canada, 
if the TFW information is not available, leave this section blank. 


Note: 
Aker the positive LMIA leter and annexes have been issued, six months will be ailecated te the: 
. employer ta provide ESDC/Service Canade wih the names ofthe TEYS and 


‘ TFWSs to submit an application for a work permit to Citizenship and imrniges 


E 


t. Sumame (famiy name) as shown on the pessport: 


| 4. Date of Birth iY 


ECM OOK 


5. Location of residence outside C 6. Citizenshipis 


ver location (city and province: and immigration status: 


Province: 


Eire ty gee : 4 - 1 TIE $ 
acus. G Temporary Foreign Worker = Temporary Foreign Worker Visitor [| Student E Refugee Claimant 
(Foreign Live-in Caregiver} 


$ e 
i 


DECLARATION OF DECLARATION OF EMPLOYER © 


Pam a n unincorperated employer, sale proprietor or perinershig. 


if you answered "YES" to tie above: 


t the federal — |j Yes 
ominee Lie. | hereby consentito ESDC 
est for a Labour Market impact cec. tothe 


inderstand that some provinces and terriboties operate B 
Jepariment of Citizenship and immigration, Provincial N 
roviding the personal information contained in ihis requ 


i provincial/territortal aovermmentis) of the province(s) or: itaryties) where | carry on business | 2 i NO 
to be used by the province(s3 or ternitoryries) for the edasnistration of their Provincial Nominee | vU 
wo, e Cromrams 
. | certify that lam an employer who does not, on i or erctic massages. understand that 
^ &ny LMIA application from an employer, who offers these serie ces ong Minima basis. wit not be processed 
—— i certity that lam actively engaged in the business in pane t of which the offer of employment is made and understand that | must remain so curing the 
— freriod of emplayment for which the work permit is issued TRANS). 
| jd certify that ihe offer is consistent with my reasonable employment needs 
a i certify that | am reasonably able to fulfil the terms of ine employment offer 
c Dés hab i am compliant with, and will comply with the federal/provinciaiteritorial laws that regulate employment end the recruitment of employees, 
“if ihe provincedersitery in which itis intended that the TFWs work and, if applicable. with the terms and conditions of any collective agreement. 
., i&ettify thal all recruitment done, or that may be done on ipo behalf, by a third-party was, and will be, in cormpiisnce with federa! Vprovincialfternitorial 
z, E ne recruitment, Í acknowledge and understand that | wil be heic accountable for the actions of à ry thirc-party recruiting TRS oa my 
| opo dcenifyihat | am aware of the published recruitment and advertising requirernents of the T iemporary Foreign Worker Program. Fam, anc wil continue to 
| cc be, compliant with these requirements and | can provide proof upon request. 
i 
i __ eeiythatthe employment ota foreign worker wii not adversely affect the settlement of any labour disme in z aieo 55 or the employment of any 
| … PErson involved in the dispute, should there be an ongoing or pending labour dispute at my business. | will inform Service Canada in ihe case one 
should develop. 
V. 3 ane pna kar S D i Me az 4 ü rt 43 
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| | 
jor b will comply with the prevailing wage requirements and | agree to review and : just, when applicable, the TFs wages, atleast annually, icensure he/ | 
| —— she continues to receive the prevailing wage for the occupation and region where ha/she is employed. 
| - | | sertify that 1 wil make reasonable efforts ta provide a workplace that is free of abuse which includes physical, sexual, psychological er financial abuse. 
|o 1 certify that | will provide the TF Ws with employment in fhe same occupation as that set out in the TFWs offer of employment and with wages and 

— working conditions that are substantially the same as — but not less favourante than — those set out in the LMA teHer and annex A 

| i agree that | will not recover any costs, directly ar indirectly, associated with seski gan LMIA from amy TFI. 

—31i acknowledge and understand that for a period of six years from the first day of employment of the TFWis), 1 

-=i reiain any documents that relate io the LMIA application and the terms and conditions of the LMIA letter and 

—3 if required, | will give afi reasonable assistance to the officer conducting the inspection. | will attend interviews and on-site inspections, 

—" answer questions, provide information and documentation that relate to the conditions i have agreed ta, pertaining to the LMIA letter and annexes. 

5 UbGerstand that should an on-site inspection be required for verification of compliance with the conditions stated on the LMIA letter and annexes, the 

, i inspections may take piace ai any premises or location where the TFW(s) perforasi work and any premises or piace thal the employer has provided to 

ihe TFW[s) as accommodations. in the case of private dwellings, employer consent or a warrant will be renüired. 
| bwill provide Service Canada with the names ofthe TFs} | intend fo employ wittiin six months from the date on the LMIA letter. 
; | declare that ihe employment of the TEWAS) is likely to have a posilive or neutrat effect on the Canadian labour market and will not lead te job ioss or 
i reduction in work hours for any Canadian or permanent resident during the period of empioyment for which Ihe work permit is issued. 
| 
i | agree to pay the tatai fee indicated in the Labour Market Impact Assessment Application - Processing Fee Payment section, either by credit cs 
Porc. certified cheque/money order. | also acknowledge that if 1 do not submit my payment, my L MIA application wil re ation and 
| — the requirement to pay the processing fee are NOT applicable to employers who meet the definition of on-farm primary agriculture and ere hiring TEs 
in the following MOC codes 8251, 8252. 8253, 8254, 8256, 8421, 8422 and 8644. 
" Employers hiring TFWs in low-wage positions must check the following boxes to declare that they comply (or will comply) with the statements 


; Below. 


: t Rave signed and enciosed a copy of the employment contract related to the job offer referred fe in this LAIA apmücston. | certify that this offer of 
— employment meets ali Program requirements. The terms and conditions in the offer, including the wages, working conditions, job duties and any 
— benefits are (or wil be adiusted to be} the same as those thai will be descrited in the LMIA letter and annexes. 


AAA 


: —3 Pil retain @ copy of the contract, related to the offer of employment, signed by aii parties. | understand anc agree that ESDC may request a copy 
| —— during an employer compliance review or an inspestion. 
i will pay ali transportation costs for the TFWisi to iravel from their country of residence to the location of work in Canada and for the return 
| y transportation to their country of residence, ifthe TEW is already in Canada, i wil pay aif transportation costs fram their residence in Canada to the 
| c location of work in Canada, and for the return transcortation to their country of residence. i will nat recover, chy of indirectly, amy cf these costs from 
i any TRIES}. 
' iiwili arrange and pay for private health insurance for the TEX, which is siradar te provincialterritorial health care coverage, until he/she is eligible for 


provincialAerritoral heallh care insurance coverage iyhere applicable) and wii not recover these costs from the TEN. 


important : 
| Employers must immediately inform Service Canada of any changes related to the foreign worker's terms and conditions of employment as 
| described in the positive LMIA letter and annex. if Service Canada accepts the employer's changes to the original LMIA, the employers’ file will be 
i updated accordingly. 


in accordance with the provisions of the Immigration and Refuges Protection Regulations, ESDC may conduct an inspection to verify the employer | 
compliance with the conditions sat out in the positive LMIA letter and annexes, As a result, this inspection could include a review of the employer's 
file and if Service Canada does not have a copy of the changes, the employer will be held accountable for the information that is on file, 


t ttt deu 


n 
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PN PDA 


| SIGNATURE OF EMPLOYER. 
The individual signing this form must have authority for either the hiring or financia! decisions of the organizatian (e.g. OWnef, franchisee, general 

| manager, ar senior executive - such as VP Human Resources}, For in-home Caregiver pasitians, employers must be a parent, legal guardian, be the 
recipient of care or have a valid power of attorney, etc, 


i] have read and | understand the Personal information Collection Statement faund at the beginning of this application, | 


| declare that tha information provided in this Labour Market Impact Assessment is true, accurate and complete, 


i i 
* 
H 


| Signature of Employer Pnnied Name of Employer 


| Tite of Employer 


Fl 


ba liable to a fine ar to imprisonment, or to both. Also, providing inaccurate information, in the context of this application, may isad to sn | 
| administrative penalty such as being ineligible to access the Program for a periad of two years. 


| A person, who contravenes a provision set out under sections 126 or 127 af the immigration and Refugee Protection Act imisrepresentatíon), could | 


Da 1 (b : 
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DOCUMENTATION REQUIRED 


| Mew employers hinng a TRAY must always submit one document which supports their active engagement i in ihe business, Retuming appicants tothe Program 
gre not required to resubmit any documentation. However, ESOC/Senice Canada may request employers submit additional documents when they are 
applying for a new LMIA Employers, who provide documents that are not requested, may find that this slows down the processing of their application. 


Fa required document is sot attached, please explain. 


when and for how long the position was advertised] 


l Business registration or iegai incorporation documents (if first LMIA application) Does net apply fo employers of in-home Caregivers, 
i TTAAii ETOO A R i 


Guginess license {where apsiicable and if first LMIA application) Does not apply to employers of In-home Caregivers. 


A 


| | Canada Revenue Agency: 


E 2 Schedule 100 Balance Sheet Information (for corporations only — 2 most recent: returns filed) 
| . 5 Schedule 125 income Statement Information ifor corpor ations only — 2 most recent returns filed) 


| Only required ifihis is the emplayer's first LMIA application. Does not apply to fim and entertainment or employers of In-heme caregivers. 
Y ply y 


H 
i 


i 


as Pies lon by a lawyer, notary public or chartered ecceuntant confirming that he Dusiness exists and the main activity of the business . (for sofe proprietorship/ 
nership) 


Brovincialterritarial workplace 5 


afety and insurance ie a. workers compensation board) clearance letter/certificate ü applicable) 


x 


iercial lease agreement (where applicable and if first LANAJ Does not apply to employers of In-home Caregivers, 


um and Entertainment ~ sony of employment contract dd fiim and TV) 


Provincial Socumeniaien requirements (for the provinces noted below): 


| ALBERTA - Employment Agency Business Licence (Aberta s Pair Trading Act if applicable 
BRITISH COLUMBIA - Employment Agency License (British Columbia's Employment Standards Act if applicebie 

MANITOBA - Certificate of Registration (Maniloba's Worker Recruitment and Projections Acti 

NOVA SCOTIA - Employer Registration Certificate (Labcur Sisndarads Code) 

| SASKATCHEWAN — Employer Registration Certificate (The Foreign Worker Recruitment and immigration Services Acti ing documentation required, however 
| employers must be registered). 


: Nota: 


in same cases the province may net provide a physical document but rather post the names of registered/cenified employers on a website. 


Sand Application and all Supporting Documentation: 


| Employers must sign, and send the completed appli cat 
ian their area. A list of LMIA Processing centres is aval 
WW esde ac ca/engüobsforelon, wodkersisco. shtmi 


ri end aii required documentation to the Service Canada Centre responsible for proces g applications 
ie on the ESDC website: 


moloyers hiring In-home caregivers must send the compisted application and all required documentation to the Ser mice Canada Centre, in Onlano 
du ible for processing in-home caregiver applications: www eee ac. eafengfobsdoreu SOS 


Ai amployers requiring assistance can contact: 
| 1-800-387-2693 (toll-free? from within Canada and the United States 


B T 


366-546-7569 from outside Canada and ihe United States 


| Note: 
A compigte application means thal employers nave: 


* flied out all of ine fieide in all ef the necess ary forms; 
. included all of the required documentation: 
. signed the forms where required; and 


* 


submitted the tee payment with Ihe application. if applicable 


if an application is submitted and itis not Complete, Service Canada staff will inform the employer that the application sili net be processed. Incomplete 
appications and supporting documents submitted with the application will not be retsined er returned ta the employer. As e result, employers are achised to 
Submit copies, not orginal documents. 
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Please complete the Labour Market Impact Assessment - Processing Fee 
Payment Form Printed on next page 
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Employment and Emploi et PROTECTED WHEN COMPLETED - B 
Social Development Canada Développement social Canada 


For office use only 


LABOUR MARKET IMPACT ASSESSMENT — PROCESSING FEE PAYMENT 


Employers must pay a processing fee for each position requested, except applications that involve on-farm primary agriculture occupations such farm 
"ansgersisupervisors and specialized livestock workers and general farm workers, nursery and greenhouse WOKETS and harvesting labourers (specifically 
NOC codes 2221, 9252, 8253, 8254, $296, 8431, 8432 and $611), and those solely io support a foreign national's s immigratian application. 


The total processing fee, where applicable, must be paid before the emplover's LMIA application can be processed. 


Step 1 - Complete employer information section: 


: Employer Business Name: 
Canada. Revenue Agency Business Number: 
(First 9 digits are mandatory for c Can adian n empi loyers 


Step 2 = Calculate total labour market impact assessment processing fee in Canadian dollars: 


Number of positions requested A St 000 = TOTAL processing fee payment of $ CAD 


Step 3 - Select method of payment: 


| | Certified cheque ar money arder (postal or bank) made payable to the Receiver Generel for Canada 
Credit card (Visa, MasterCard, American Expressi 


Fer payment by credit cand, complete and sign this section 


m cate CARD INFORMATION AND PAYMENT AUTHORIZA c 


; Name of cardholder i ias f appears on the credit o cand 


POM e 
xen l | MM due 


| Credit card type: 


| | Visa JasterCard | |Amerncan Express 
AUTHORIZATION: en ——— 
f authorize zSDC/Service Canada in the name of the Receiver General for Canada to charge SCAD to my creditcard 
This is permission for a single transaction, and does nct provide authorization for any additional charges. — | 
ae ds MN re na iii e lee — : d 
yvYY | M DO 


Refunds will only be provided if à fee was collected in error (e.g. an incorrect fee amount was processed) There will not be refunds in the event of a negative 
labour market impact assessment since the fee covers the process fo assess an application and not the outcome. 
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socal Development Canada — Developpement social Canada 


SCHEDULE A 
APPOINTMENT OF A THIRD-PARTY REPRESENTATIVE 


Employers should visit nalobsforeign workersdndex shiii. 
1o verify that the Program 1 is ee app plica tions for the ee a or sector for which they wish to hire the temporary 
foreign worker (TFW) and to determine if they are eligible to participate in the Program. 


Personal information Collection Statement 


SEM. DT 
E tot pelos Gee med X 


Le ie 
à 1 


A person, who contravenes a provision set out under sections 126 or 127 of the immigration and Ref: gee Protection Act imisrepresentation), could 
be liable to a fine cr te imprisonment, crie both. Also. pre siding inaccurate information, in the context of this application, may lead te. an 
5 the dn for a period of two years, 


For the | purpose ofa labo ,ehen appointing a third-party representat ve all ernpio 


submit this form. According f to une On 8: rat Gf the immigration and Refuges Protection Act RPA}. Employment and Social Development 
Canada d i and Citizenship and Immigration Canada (CIC) will only conduzt business with authorized representatives. The types of autharized 


representatives that can be used by employers are Histed on CIC's website at: ss 


administrative penalty such as being c is to 2008s 


mplete and 


ER 


jx. 


Canac 
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MEMBER SHIP TX 


a SOMOS eon 


PROVING ESTER RITOR Y: | MEMBER SH PID: 
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MEMBER SHIP IX 
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| FOR THE PURPOSE OF THIS LABOUR MARKET IMPACT ASSESSMENT APPLICATION: 
| 
iMame st semidoyan 
| 
i 
i 
Te eonana Number res nUwurber 
| ans . 9oasten at 
Wave cleng oyen nunta I f asp ioscle: : 
Tesohona Number. 
atm as cy zien my bebai n odar to opa a La cor Market mw»acDAsserzs"mettapoyon 
[ione tace 
"isis sopaintvent 
Signature of eraployar ^ Date (Y YY-MM-DD) 
Signature of employer number 2 Uf applicable 
3] gn atu re of Er in ESS Pri nies Mare gf witness | icta duc 
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PERSONAL DETAILS 


i Eoi same. 


i Have uou coser oard any other name leg. Nickname, maiden name. alias, etei? 


this 
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: Pi m at birth 
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SCHEDULE 1 
APPLICATION FOR TEMPORARY RESIDENT VISA 


The principal applicant, his or har spouse or common iaw partner. if applicable. and all dependent children aged i8 years cr older listed in the 
application for temporary residence must complete their own copy of this form. 
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ring Tool 


The following text was taken from ESDC's Online Fraud Reporting Tool which is presented to users in a 
step-by-step format. 


Step 1: How to start 
Reporting abuse or misuse for the Temporary Foreign Worker Program 


Here are a few things to keep in mind before beginning the online reporting process: 


e No feedback will be provided as a result of you submitting information through this 
process. 

e We will not release your identity unless you provide your consent. Sending us your 
contact information is optional. All leads, whether collected through this tool, or by 
another method, are privileged and subject to the provisions of the Privacy Act. 

e  ESDC/Service Canada does not pay for information received from individuals provid ing 
leads on suspected fraud. 

e We take all informant leads seriously and apply the same procedures to all information 
received. However, we encourage you to provide as much detail as possible to assist us 
in understanding the nature of the allegations. 

e Once you have submitted the information through this online process you cannot revoke 


k It. 

e All information is reviewed to determine the validity of the allegations and whether 
further action is necessary. It may not always be appropriate or possible to act on the 
information immediately, but we will review it and take necessa ry action. 

« Read through the privacy and security statements. 

Step 2: Review privacy statement 

Privacy Notice 

Personal information is collected under the authority of the Privacy Act. 

The information will be used to follow-up on the lead to determine if there is an element of non- 

compliance with the Temporary Foreign Worker Program legislation, and if applicable, provided 

to the corresponding compliance program for appropriate enforcement action. information may 

also be referred to Citizenship and Immigration Canada (CIC), the Canada Border Service 

Agency (CBSA) or Employment and Social Development Canada (ESDC) in the event that the lead 

relates to one of the programs they administer. 

The information you provide is voluntary; it will not affect any dealings you may have with the 

Government of Canada currently or in the future. 

You are not obliged to provide us with personal information about yourself. If you choose to 
7 provide your personal information, we may contact you to clarify statements or ask for 


Canada Border Services Agency 
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Canada Border Services Agency 


to protect the identity of informants, information that may indicate the identity of an informant, 
and even information that might suggest the existence of an informant. 


Individuals also have rights of access to, correction of, and protection of their personal 
information under the Privacy Act: Access to Information. 


Security Information 


The Government of Canada, Employment and Social Development Canada and Service Canada 
(SC) are committed to providing visitors with Web sites that are respectful of the diverse needs 
of Canadians, as well as privacy and copyright laws. 


We will ensure that the electronic services we offer continue to meet the strict privacy, 
confidentiality, and security standards that the legislation requires and that Canadians expect 
from us. 


Service Canada uses corporate firewalls to protect our Web servers from unauthorized access. 
Any personai information you provide is not stored on these servers; we securely store your 
personal information on separate computer systems that are not directly accessible from the 
internet. 


Refer to the Terms and Conditions for the policies and practices that Service Canada adheres to 
for all online activities. 


Step 3: What to send us 


The following information will help us determine whether we should undertake an investigation, 
audit, or other action: 


e Name(s) and contact information of those suspected of abusing or misusing of the 
program including their address and email, etc. name of those involved (if known) 
e Type of abuse you suspect that is relevant to the situation: 
o resident status 
o employee abuse, intimidation, withholding passport or pay cheques, etc. 
o different/wrong occupation 
o displacing Canadians 
ə Details of your observations 
+ Relevant documents: have you seen documents? 
e Your name and phone number (optional: you can remain anonymous); if we require 
more information, can we contact you? 


e Location and name of the business or organization name (if applicable) 


You may not have ali the suggested information, however submitting as much detail as possible 


will enable us to take the appropriate action to address the issue. 


For confidentiality reasons, note that we will not provide you any feedback or give you an 
update as a result of the information you have submitted. Please be assured that we take all 
reports of potential misuse or abuse very seriously. 
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| Additional Relevant Information (as applicable): , 
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| Allegation: 


| ESDC contact: 
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INFORMATION SHARING AGREEMENT INVOLVING PERSONAL INFORMATION 


Between: 
The Department of Employment and Social Development 
(Hereinafter referred to as ESDC) 


AND 


The Canada Border Services Agency 
(Hereinafter referred to as the CBSA) 


1.0 ENTIRE AGREEMENT 


l1 information Sharing Agreement (ISA) 
The ISA, its Annexes and any amendments made thereto, constitute the entire 
agreement between the Parties (Agreement). 


12 Amendment 
Unless otherwise stipulated, any amendment to the Agreement is subject to the 
provisions in the core agreement. 


1.3 Definitions | 
Definitions for terms used in this Agreement are set out in Annex A. 


2.0 THE PARTIES 


2.1 ESDC 

The Department of Employment and Social Development (ESDC) was continued 
under section 3 of the Department of Employment and Social Development Act 
(DESDA). The Minister of ESDC is responsible for all matters relating to human 
resources and skills development in Canada or the social development of Canada. 
The Minister of ESDC is also responsible for the administration and enforcement of 
certain activities under the Immigration and Refugee Protection Act (IRPA) and the 
Immigration and Refugee Protection Regulations (IRPR). 


2.2 CBSA : 

The Canada Border Services Agency (CBSA) was created by Order in Council in 
2003. The Canada Border Services Agency Act sets out the responsibilities, mandate, 
powers, duties and functions of the Minister responsible for the Agency and its 
President. The CBSA is responsible for providing integrated border services that 
support national security priorities and facilitate the free flow of persons and goods, 
including animals and plants, which meet all requirements as set out in the CBSA's 
program legislation (see section 2 of CBSA Act). The CBSA is responsible for 


UNCLASSIFIED 


administering and enforcing the Customs Act, Immigration and Refugee Protection 
Act (IRPA), and more than 100 other Acts, related regulations, and tariffs. 


OSE OF THE ISA 


3.0 PURP 


3.1 This Agreement establishes an administrative framework for the exchange of 
personal information between the Parties including all aspects of collection, use, 
disclosure, retention and destruction. 


3.2 This Agreement identifies the personal information to be disclosed, the 
relevant authorities, and the terms and conditions under which that information can 
be shared between ESDC and the CBSA for the administration and enforcement of 
their respective responsibilities under the IRPA and IRPR; jointly referred to as 
IRPA, 


3.2.1 The CBSA seeks to obtain information from ESDC for the 
administration and enforcement of the TFWP and the IRPA. This inciudes, but 
may not be limited to, the issuance of work permits, determinations of 
admissibility and investigation and intelligence gatherin g activities for the 
administration and enforcement of IRPA, 


3.2.2 ESDC seeks to obtain information from the CBSA for the 
administration and enforcement of the Temporary Foreign Worker Program 
(TF WP) and all other activities assigned to ESDC under the IRPA and the 
IRPR. 


40 DISCLOSURE BY ESDC TO THE CBSA FOR ADMINISTRATION AND 
ENFORCEMENT OF THE IMMIGRATION AND REFUGEE PROTECTION ACT 


41 Authority for ESDC to disclose information 

Pursuant to subsection 34(1) of DESDA, ESDC has the authority to make personal 
information obtained or prepared under its programs (including but not limited to 
the TFWP) available to the CBSA for the administration or enforcement of the IRPA. 


Pursuant to subsection 35(1) of the DESDA, ESDC has the authority to make 
personal information available to the CBSA for the administration or enforcement of 
the IRPA, subject to the conditions agreed to herein. 


4.2 . Authority for the CBSA to collect information 

Pursuant to section 4 of the Privacy Act, R.S.C. 1985, c. P-21, the CBSA may only 
collect personal information that relates directly to an operating program or 
activity. With respect to this Agreement, the CBSA collects personal information for 
purposes of the IRPA, including pursuant to Sections 11, 20 and 22 of the IRPA and 
Part 11 ofthe IRPR. | 
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4.3 Information to be disclosed by ESDC to the CBSA 

Where ESDC provides personal and/or employer information to the CBSA, ESDC will 
search its internal databases, systems and any paper documents and disclose 
information elements listed in Annex C and Annex D of this Agreement to the extent 
these are available. 


4.4 Secondary disclosure by the CBSA 

Subsection 35(2) of DESDA prohibits the CBSA from making available the 
information obtained from ESDC pursuant to this paragraph to any other person or 
body unless the Minister of ESD considers it advisable and the information is made 
available for the same purpose and it is subject to conditions agreed upon by the 
Minister and the CBSA. 


The CBSA hereby undertakes that no subsequent disclosure of the information will 
be made by the CBSA in a form that could reasonably be expected to identify the 
individuals to whom it relates unless strictly required by law or permitted pursuant 
to this Agreement. 


5.0 DISCLOSURE BY THE CBSA TO ESDC FOR ADMINISTRATION AND 
ENFORCEMENT OF THE TEMPORARY FOREIGN WORKER PROGRAM 


5.1 Authority for the CBSA to disclose information 

Pursuant to paragraph 8(2)(a) of the Privacy Act, and under section 209.92 of IRPR, 
the CBSA has the authority to disclose information related to its programs to the 
ESDC for the administration or enforcement of the IRPA. 


5.2 Authority for ESDC to collect information 
Pursuant to section 4 of the Privacy Act, R.S.C. 1985, c. P-21, ESDC may only collect 
personal information that relates directly to an operating program or activity. 


Pursuant to sections 30(1.43) of the IRPA and 203 of the IRPR, ESDC is required to 
provide labour market impact assessments (LMIA) to employers, group of 
employers or the Department of Citizenship and Immigration (CIC) upon request. In 
assessing requests for such LMIAs, ESDC is authorized to coliect certain personal 
information. 


Section 209 of the IRPR provides the authority for ESDC to conduct inspections and 
verify an employer's compliance with the conditions outlined in the IRPR. 
Collection of personal information in the course of these inspections is therefore 
authorized. | 


5.3 Information to be disclosed by the CBSA to ESDC 

Where the CBSA provides ESDC certain information that will help ESDC identify the 
personal information sought, the CBSA will search its internal databases, systems 
and any paper documents and disclose information elements listed in Annex E of 


this Agreement to the extent these are available. 
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54 Secondary disclosure by ESDC 
ESDC hereby undertakes that it will not make any secondary disclosure in a form 
that could reasonably be expected to identify the individual to whom it relates 


unless strictly required by law. 


Section 37 DESDA authorizes ESDC to disclose personal information ifthe Minister 
of ESDC considers that it is in the public interest. This is not considered secondary 
disclosure for purposes of this Agreement. 


6.0 ACCESS, CONFIDENTIALITY, USE, DISCLOSURE OF PERSONAL 
INFORMATION (Disclosed under paragraphs 4 and 5] 


6.1 The Parties undertake to use their best efforts to fully maintain and protect 
the confidentiality of the personal information they receive under this Agreement. 


6.2 Only those employees who require the personal information in the course of 
their employment and duties will have access to it. 


6.3 The Parties will not, in respect of any personal information they obtain from 
each other under this Agreement 


(a) use that information for a purpose other than that for which it was 
respectively provided to them; and 

(b) disclose that information to any person or body for a purpose other than 
that for which it was respectively provided to them and as authorized in 
this Agreement, 


6.4 The Parties may use personal information they obtain from each other under 
this Agreement for a purpose other than that for which it was obtained: 


(a) with the consent of the individual to whom that information relates; or 
(b) if required by legislation. 


6.5 The Parties may disclose personal information they obtain from each other 
under this Agreement to any person or body for any purpose: 


(a) with the consent of the individual to whom that information relates; 

(b) in a form that cannot reasonably be expected to identify the individual to 
whom that information relates; or 

(c] if required by legislation. 


6.6 In the event ofa request under the Access to Information Act or Privacy Act 
for personal information obtained from another Party, the Parties agree to consult, 
when required, prior to any disclosure of such information. 


e 
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6.7 The Parties acknowledge that it is an offence under s. 42 DESDA for an yone to 
knowingly use or make available personal information otherwise than in 
accordance with this Agreement. An individual found guilty could be subject to a 
fine of up to $10,000 or to imprisonment for up to six months, or both. 
Organizations guilty of the same offence could be subject to a fine of up to $100,000. 
This provision also applies to third parties to whom the personal information is 
disclosed. 


7.0 DISCLOSURE TO A THIRD PARTY 


7.1 For the purposes of this Agreement, a third party does not include Shared 
services Canada, a department of the Government of Canada established under 
section 4 of the Shared Services Canada Act, S.C. 2012, c. 19, responsible for the 
provision of information technology (IT) infrastructure services to Canada, that may 
include e-mail, data centre (servers) and network services. 


OF EXCHANGE OF INFORMATION 


8.0 METHOD 


8.1 Personal information covered by this Agreement will be provided using 
protocols, formats, methods and technology agreed upon by both Parties to be 
defined in the Annexes to this Agreement so as to provide for secure, efficient, 

effective and timely disclosure of information from one Party to the other. 


8.2 The Parties agree to review various modalities of transmission to ensure 
each Party's compliance with its respective legislation, policies and procedures 
relating to the transmission of personal information. 


8.3 The Parties agree that itis not mandatory for the information to be disclosed 
through an automated system. 


8.& The Parties will, when transmitting information under this Agreement: 


9.0 INFORMATION MANAGEMENT AND SECURITY REQUIREMENTS 


9.1  inaddition to Section 6, all personal information obtained under this 
Agreement will be collected, used, maintained, stored, retained, disclosed, destroyed 
or disposed of and otherwise administered and protected in accordance with ali 
applicable legislation. 
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9.2 The Parties will take all reasonable measures to observe their respective 
information Management and Security requirements to ensure the confidentiality 
and integrity of information they receive under this Agreement and to safeguard 
that information against accidental or unauthorized actess, disclosure, use 


modification and deletion. 


9.3 Each Party is responsible for keeping Info Source and all related Personal 
information Banks up to date. 


9,& ESDC will follow any applicable legislation governing the protection of 
information including Part 4 of DESDA, the Privacy Act, the Library and Archives of 
Canada Act and regulations made under any of the foregoing and any other 
applicable federal legislation, the Government of Canada's Policy on Government 
Security, the Electronic Documents and Records Management Solutions Standard, 
and other related Policies, Standards and Directives, as well as all applicable 
departmental policies, protocols, operating directives, and guidelines, covering the 
administrative, technical and physical safeguarding, and disposal, of the personal 
information. 


9.5 The CBSA will follow any applicable legislation governing the protection of 
information including the /mmigration and Refugee Protection Act, the Canada Border 
Services Agency Act, the Privacy Act, the Library and Archives of Canada Act and 
regulations made under any of the foregoing and any other applicable federal 
legislation, the Government of Canada's Policy on Government Security, the 
Electronic Documents and Records Management Solutions Standard, and other 
related Policies, Standards and Directives, as well as all applicable departmental 
poiicies, protocols, operating directives, and guidelines, covering the administrative, 
technical and physical safeguarding, and disposal, of the personal information. 


2.6 Where necessary and as agreed by the Parties, these obligations may be 
further specified in additional documents or agreements relating to the technology 
to be used. 


9.7 ESDCand the CBSA will take such reasonable security measures to protect the 
confidentiality of the personal information exchanged under this Agreement. 
Security Measures are described in Annex F. 


10.0 ACCURACY OF INFORMATION 


10.1 Each Party will take all reasonable measures to maintain complete, accurate 
and up to date personal information for exchange under this Agreement. However, 
itis understood and agreed that they cannot guarantee its accuracy and 
completeness and will, therefore, not be held responsible by the other party for any 
damage resulting from the transmission or use of any information that is inaccurate 
or incomplete 
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10.2 The Parties will promptly notify the other if it learns that inaccurate 
information may have been disclosed and take all reasonable remedial steps to 
address the situation. 


11.1 Provided that a disclosure or a failure to disclose personal information is 
done in good faith and reasonable care has been taken to comply with the applicable 
federal or provincial legislation, the Parties will not assume any liability whatsoever 
for the misuse of the personal information provided to the other under this 
Agreement. The security measures in effect with the Parties serve to maintain the 
integrity and confidentiality of the information disclosed to the other. 


11.2 The Parties will each be responsible for the actions of their employees and 
agents with respect to the collection, disclosure, use, retention and disposal of 
personal information in their custody or under their control. 


11.3 The Parties will investigate all cases where they have reasonable grounds to 
believe that any of the conditions set out in this Agreement has been or are likely to 
be breached by them, their employees or agents according to their internal 
protocols and procedures. This includes any case where it is alleged, suspected, or 
there is evidence that there has been unauthorized access, use, disclosure or 
modification of the personal information exchanged under this Agreement, 
modification of a permitted use, misuse or breach of confidentiality, or any incident 
which might jeopardize or has jeopardized the security or integrity of their 
respective computer systems or networks used to access and transmit the personal 
information, all or any of which are referred to as a Security Breach. 


11.4 For ESDC, the procedures to be followed in an investigation are found in the 
Departmental Directive on How to Respond to Security Incidents Involving Persona! 
information, and any successor document. For CBSA, the procedures are found in 
the Security Volume- Physical Security Standards for Security Incident Reporting 
and in the Corporate Affairs Branch document entitled Canada Border Services 
Agency Privacy Breach Protocol. 


11.5 Inthe event of a Security Breach, ESDC or the CBSA will immediately advise 
the other Party, and provide a detailed written report of the circumstances of any 
Security Breach and any remedial actions taken. 


M 


11.7 


UNCLASSIFIED 


Director 

Policy and Program Design Division 
Temporary Foreign Worker Directorate 
Employment and Social Development Canada 
Place du Portage, Phase IV 

140 Promenade du Portage 

Gatineau, Québec 

K1A 0]9 


Director, Access to Information and Privacy 
Employment and Social Development Canada 
Piace du Portage, Phase IV 

140 Promenade du Portage 

Gatineau, Québec 

KIA 0]9 


Notice to the CBSA will be sent to: 
Director 

Program and Policy Management Division 
Traveller Programs Directorate 

Canada Border Services Agency 

191 Laurier Avenue West 

Ottawa, Ontario 

K1A 0L8 


Director General 

Security and Professional Standards 
Canada Border Services Agency 

410 Laurier Avenue West 

Ottawa, Ontario 

KIA OL8 


Director, Access to Information and Privacy Division 
Canada Border Services Agency 

410 Laurier Avenue West 

Ottawa, Ontario 

KIA OLS 


Director, Enforcement and intelligence Policy Division 
Canada Border Services Agency 

100 Metcaife Street 

Ottawa, Ontario 

KIA 0L8 
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11.8 Upon being notified of a Security Breach, ESDC or the CBSA so notified may 
do any ofthe following on receipt of the notice: 


a) review the steps proposed by the other Party to address or preventa 
recurrence of the Security Breach; 

b) direct that any additional specific steps be taken to prevent a 
recurrence; 

c) suspend the disclosure of personal information under this Agreement 
until satisfied that the other Party has complied with the Agreement 
and any directions; or, 

d) terminate this Agreement pursuant to section 17. 


12.0 INFORMATION MANAGEMENT AUDIT 


12.1 ESDC and the CBSA are both, and will remain, subject to their own internal 
audit procedures to ensure compliance with their program goals and statutory 
mandate, including compliance with this Agreement. ! 


12.2 ESDC and the CBSA will provide a copy of their respective audit reports to 
each other, as applicable. 


12.3 Where deficiencies in ESDC's or the CBSA's information management 
practices affecting compliance with the requirements of paragraphs 8 to 10 or the 
security, confidentiality and integrity of information exchanged under this 
Agreement are identified in an audit report, the body concerned will take 
appropriate corrective action forthwith to remedy those deficiencies. 


13.0 PRIVACY IMPACT ASSESSMENTS 


13.1 The Parties will comply with the Treasury Board policies related to the 
completion of a Privacy Impact Assessment (PIA) and a Threat and Risk Assessment 
(TRA) covering the exchange of personal information under this Agreement. The 
Parties agree to provide a copy of the relevant portions ofthe related reports to 
each other. 


13.2 Where issue(s] are identified in either the PIA or the TRA, the Parties agree 
to work together to address the issue(s). 


13.3 When an issue cannot be resolved to the satisfaction of both Parties, it will be 
reterred to Dispute Resolution as provided for in section 19 of this Agreement. 
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14.0 COMING INTO FORCE 


14.1 This Agreement will come into effect at the time it is last signed and will 
remain in effect until terminated by the Parties in accordance with Section 17 or 
replaced by another agreement. 


14.2 This Agreement will be reviewed at least once every five years to ensure that 
is remains up to date and to make any amendments that may be required. 


15.0 AMENDMENTS 


15.1 Subject to paragraph 14.2, amendments to the terms of this Agreement will 
be made by an amendment executed by the Designated Representative (paragraph 
18.1) of each Party in writing. 


15.2 Amendments to the information to be disclosed as set out in the Annexes to 
this Agrcement will be approved by the Designated Representatives (paragraph 
18.1) of each Party. Any other amendments will be approved at the level of the 
Deputy Minister of the parties to this Agreement unless otherwise duly authorized 
by law, | 


16.0 FINANCIAL AGREEMENTS 


16.1 Each Party will bear any costs they may incur in carrying out their 
obligations under this Agreement unless otherwise agreed to in writing. 


17.0 TERMINATION 


17.1 Either Party reserves the right to terminate this Agreement by giving 90 
days written notice to the other Party. 


17.2 Inthe event of the termination or amendment of this Agreement, the 
protection of information provisions set out as part of this Agreement continue to 
apply to and in respect of the information that has already been disclosed under this 
Agreement. 


17.3 The Parties reserve the right to terminate this Agreement in the event of non- 
compliance with the terms of this Agreement, The Pa rty wishing to terminate this 
Agreement will send to the other a written notice of termination stating the reasons 
for terminating; the latter Party will upon receipt of this notice, take measures to 
remedy the situation to the satisfaction of the first Party within thirty (30) business 
days of the notice or such further time period agreed upon by the Parties, failing 


+ 


which the Agreement will be automatically terminated. 


10 


CBSA - Released un: 
ASFC - Divulgation 


der the Access to Information Act. 


en vertu de la loi sur l'Accès à l'information. 


UNCLASSIFIED 


17.4 The following provisions survive the termination or expiry of this Agreement 
and continue in full force and effect, and do not merge: Section 6, Section 9 and 
section 10. 


18.0 MANAGEMENT AND GOVERNANCE 


18.1 ESDCand the CBSA agree to each designate representatives to act as their 
contact persons for any issues related to the development, implementation, and 
administration of this Agreement. 


For ESDC: Director General, Temporary Foreign Worker Directorate 
Employment and Social Development Canada 


For the CBSA: Director General, Traveller Programs 
Canada Border Services Agency 


Director General, Enforcement and Intelligence Programs 
Canada Border Services Agency 


18.2 The Designated Representatives may appoint delegates to review the 
Agreement and provide advice on the development, implementation and 
administration of the Agreement and the adequacy of any privacy measures. 


18.3 The delegates may meet as necessary to conduct these activities and to review 


any audit reports. 


19.0 DISPUTE RESOLUTION 


19.1 inthe event of a dispute between the Parties arising out of this Agreement or 
Annexes, the Parties agree to make every effort to resolve it at the levels within their 
respective organizations at which the dispute arose. If any dispute remains 
unresolved by this process within fifteen business days of notification of the dispute, 
or such further period as may be agreed upon by the parties, the Parties agree that 
the dispute will be escalated to the Designated Representatives identified in Section 
18 of this Agreement for resolution. 

20.0 NOTICE 

20.1 The Parties undertake to provide each other, as soon as practicable, notice of 
any change in legislation, regulation, policy, computer systems or funding relating to 
their respective programs that may impact either Party's ability to fulfil! the 


obligations as described in this Agreement. 


20.2 The Parties agree to advise and consult the other party at least six (6) 
months in advance, or as early as is otherwise possible, if information technology 
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changes will affect the availability, means of access, or reliability of the information 
agreed to be exchanged. 


20,3 Any notice or communication between the Parties, Be. the exception of the 
information exchanged for the purpose of Paragraphs 4, 5 and 7 of this Agreement 
that is required or permitted pursuant to this Agreement will be i in writing by the 
Designated Representative. 


21.0 GENERAL 


21.1 The Annexes to this Agreement are an integral part of this Agreement and 


om *» 


are as follows: 


Annex A- Definitions 

Annex B- Record Disposition Authorities 

Annex C- Information to be provided by ESDC to the CBSA under section 

34(1) and of the DESDA 

Annex D- Information to be provided by ESDC to the CBSA under section 
. 35(1) of the DESDA 

Annex E- Information to be disclosed by the CBSA to ESDC 

Annex F- IT Security and IT Problem Management 


41.2 This Agreement may be executed by the Parties in ird te counterparts, 
each of which when so executed and delivered will be an original, and all such 
counterparts may be delivered by facsimile or electronic (email) transmission and 
such transmission will be considered an original. 


IN WITNESS WHEREOF this Agreement has been signed on behalf of the Parties by 
their duly authorized representatives. 


ror ESC: " 
4 "D 


"i eee 

imam Minister 

Employment and Social Development 
Canada 


For the CBSA: 


Luc Portelance Date 
President 


Canada Border Services Agency 
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ANNEX A 
Definitions 


"Access" - is the action from which an individual or organization collects, 
views, uses, discloses, manages and retains information described in the 
Agreement. This also includes connectivity to IT systems, paper forms or 
information in any other format. 


"Authorized User" - employees who have been granted access to the 
personal information and aggregate data identified in this Agreement in 
accordance with the security requirements set out in this Agreement. 


"Criminal Investigation Information Management System (CIIMS)"- 
CIMS is the principal information management system used by employees in 
the CBSA's Criminal Investigations Program. 


"Economic Class Permanent Residents (ECPR)" - refers to the economic 
class under which foreign nationals may apply and are selected for 
permanent residency to Canada. Applicants are selected on the basis of their 
ability to become economically established in Canada. 


"Foreign Worker System (FWS) "- the FWS is ESDCs single, integrated 
system used internally to process applications for LMIAs and to track 
employer compliance with Program requirements. The FWS stores only the 
personal information required to process LMIAs and conduct assessments of 
employer compliance. The personal information collected includes, but is not 
limited to, client identification (i.e., family name and given names, gender, 
date of birth, country of birth, etc.), contact information and history, job offer 
information, compliance history etc. 


The FWS provides a level of protection that reflects ESDC's need for 
information availability and integrity, Government of Canada requirements 
for protected B level information, and the requirements of the Privacy Act 
and associated Treasury Board policies. The FWS also responds to key data 
exchange agreements with other federal departments and acts as an efficient 
means of exchanging data on the outcomes of LMIAs and compliance 
assessments. 


"Global Case Management System (GCMS)"- the GCMS is a single, 
integrated and worldwide system used internally to process applications for 
citizenship and immigration services. GCMS stores only the type of personal 
information required to process citizenship and immigration applications. 
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"Field Operations Support System (FOSS)" - FOSS is an electronic svstem 
of record in which CIC and CBSA officers enter and obtain information about 
immigration and citizenship clients. The information obtained from FOSS is 
used to facilitate decisions in immigration, citizenship, and enforcement 
cases. 


"Integrated Customs Enforcement System (ICES)"- [CES isa repository for 
CBSA enforcement-related information. 


"Intelligence Management System (IMS)" - IMS and its Occurrence 
Reporting System (ORS) sub-module, is a CBSA system used to house 
intelligence information. 


"Labour Market Impact Assessment (LMIA)" - is the opinion provided by 
ESDC or CIC in accordance with section 203 of the IRPR. In assessing 
requests for LMIAs, ESDC considers whether the employment of a foreign 
worker is likely to have a positive or neutral effect on the Canadian labour 
market. The LMIA is used to support the application of a foreign national for 
a work permit when required under IRPR. 


ER Y 


National Case Management System (NCMSY"- NCMS is the CBSA's primary 
immigration enforcement case management system. 


"Personal Information" - Personal Information as defi ned in section 3 of 
the Privacy Act. 


"Temporary Foreign Worker" - refers to any foreign national who has been 
authorized to work temporarily in Canada under the IRPA. 


"Temporary Foreign Worker Program (TFWP)” - refers to the streams 
under which an employer who wished to hire a foreign worker must obtain 
an LMIA from ESDC. 


"Secure Tracking System (STS)"- STS isa storage and information system 
used at the CBSA, which plays a role in screening immigration applicants. 
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ANNEXB 
Record Disposition Authorities 


1.0 RECORD DISPOSITION AUTHORITIES 


are retained and then sent to LAC 2, 5, 7 or 10 years (depending on type of 
document) after completion or after becoming obsolete/superseded. Documents 
from regional and local ESDC offices are retained and then sent to LAC 5 or 10 years 
(depending on type of document) after completion or after becoming 
obsolete/superseded. 


12 The CBSA has a Library and Archives Canada record disposition authority 
Immigration 2006/004 and 00/033. CBSA documents are subject to the following 
various retention periods: 2, 3, 5, 7, 10, 15 or 20 years. Documents are sent to 
private storage facilities (depending on the type of document and corresponding 
retention period) after becoming obsolete or superseded. 
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ANNEX C 
Information to be provided by ESDC to the CBSA under Section 34(1) of the 
DESDA: 


1.0 METHOD OF INFORMATION EXCHANGE 


1.11  Fortheissuance of a Work Permit 
The data elements listed in section 2 may be disclosed to the CBSA for the 
assessment and issuance of a Work Permit. 


1.1.1 Electronically, the CBSA has view only access in FOSS to the Foreign 
Worker System (FWS) - Global Case Management System (GCMS) system-to- 
system interface. Via this interface, the CBSA will have view only access to 
those data elements identified with an asterisk in the table below. 


1.1.2 The FWS-GCMS interface gives the CBSA real-time access to 
information stored in ESDC’s database. Personal information available via the 
FWS-GCMS interface may be linked to allow for automatic information 
exchanges and to enable the CBSA to view ESDC's FWS. 


1.13 Ifnot available via the system-to- “system interface, this information 
can be made available electronically - 
or paper copy of the original document(s), 


1.1.4 À written request for information not available via FWS-GCMS 
interface will include, at a minimum, the following information: the 
requesting officer name, the requesting officer position, de O ical 
contact information (telenhone and/or email), seston of person 
information elements requested, legislative statute and associated Section 
reference(s) and purpose (description of enforcement activity) for which the 
information will be used. 


"POUR 


1.1.5 ESDCis responsible for the administration and maintenance of the 
The CBSA will have access to this in order to deposit and extract 
the agreed upon information. 


1.1.6 The is designed to meet all the security requirements for 
exchanging personal information. The exchange of information will be 
protected from unauthorized access since both parties will be using 
capability to access and use the 
Approved user(s) will be given access codes to ESDC's 0 
retrieve source files. 


1.1.7 ESDC will upload data elements to the as per section 2 of 
Annex C on a case by case by case basis, as requested by the CBSA. 
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1.1.8 A notification email will be : sent to the designated approved user, 
confirming data transfer success. E 


1.1.9 Ifa paper copy of the information is requested, it will be provided 
directly to the requesting CBSA Officer as per Government Security Policy 
Guidelines. 


2. DATA ELEMENTS TO BE DISCLOSED BY ESDC TO THE CBSA 


2.1 Personal Information contained in the following table related to a LMIA may 
be made available to the CBSA: 


*Em lover. business and legal name _ TETUR 
*Employer mailing address, including street number, city, province, postal code, phone number 
and fax number. a eer re 
*Employer business address (if different than mailing address), including street number, city, 
| province, postal code EUM RT ARE . Oo 
Type of Business mae OON : 
Jes ionse to Question: Is the business a franchise? —— 
Response to Question: If the business is a franchise, is the corporate > head office aware of this 


| app ication f for as 


al plicable, fax number and e-mail address | 


Pr eferred Officia -Language of Corresponde 


ome to Question Are eeu Ud using the plana of: a third- “party, recruiter or employment 
agency for the purposes of hiring a TFW? 


Name of third-t arty, recruiter or employment agency for the purposes of hiring a TFW = 


Registration, license or certificate number ——— "n 
pé se to ia Are you appointing a a i third- -party to represent you in completing this 
ration process? _ 


| Business Details m" 
Aun ber of employees Current / yempioyed ı nationally: unde: 


caa drei nn iin : 


Res; onse to Question: Did; you em TFW] in the Tast ua y years, rior to Dece omber SL BOTS. 


Response to Question: Did you provide all TFWs employed by you in the last two years with 
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| wages, working conditions and employment in an occupation that were substantially the same as | 
i those that were described in the offerfs) of employment? 
fo eee ee RR. SUI LI RR RUN KK UAR Pede aai rr Ae ii 


Response to Question: Have you applied for and received a positive LMIA on or after December | 
20137 | 


| ET re remonts ofthe ——<—<—$— — 


“Experience seus re quirements ofthejob — — 


Response t to dl Ist 
" | “Benefits 
| "Other benefits ; 
sing or 
b? ify ye | itying/lice | reda body 


hat the | ere is p art tofa of a union. if yes, name e of the Union, 


emen to VR n: Has the union been consulted ahout hiri inga TFW? If yes, whatis th 
: of. the union? " 


| ee to inl What are ae pétennal [EU to the vows 
UT Pio ? 


| Reese to s Question: Do: you irm to hire or train Canadians f permanent residents for the position 
E which m re pesinga an 9 pinion? _ 


Number of eum | jermanent r r esident irit applicants i interviewed 
| Number of Canadians/permanent r esidents offered the position 


LN umber of canadians/ permanent residents hired. 


ipeum to neston: wil the S. of ibo TEWs lead to job loses, now or in the fo reseeable | 


| future, for Canadians/permanent residents as a result of las yoffs, outsourcing, offshoring or other 
L factors related to utilizing T FWs? 
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| Response to Question: Is the job offer related to an activity, contracto ora subcontract that will 
| facilitate outsourcing or offshoring? — — — | M 

Film and Entertainment Requests. ws TN oo 

Name of Production. 
| Total number of people involved in the p roduction | 
"Type of Production dé ms mu 
| Copy of the contract between the employer and the foreign entertainer(except for film and TV 
| requests) 


Temporary Foreign Worker Information -. 


Surname as shown on passport — — 1 ERN M e 


Given name as shown on passport | —ć  ć | | 
L bender Hite ene ema à i ME 
| *Date of birth MEE m uet S 2 


| "Location c of residence outside of Canada | 


ecrans of Eo IB o p db ts S ATL d a 5 de 
Declaration of proprietorship rs ET E 


| Signature of employer and third party (it 
rares zlver Program 


oe for the. abe a to the caregiver and explanation of how it meets the employment needs | 
of = applicant _ | 


Eurer of de em peres to person S who! wilt receive care ds Le; child. care, care of elderly person, 
i care of person with disability) — — LLL ee NM 
*Location of where care will be provided and where foreig gn caregiver r will reside (address, city, j 
rovince/territory, postal code) — 000000000 | 


| 
5 

[> *Describe the main duties of the jc 
| "Language requirements 

| (Oral: English, French, other. SUR En; lish, French, other) 
Accommodations charges 
Meal char es a 


| Sender birth 


Total # of C ce agricultural work der employed: 


This year 
Lastyear 
| Total # of foreign agricultural worker requested: 


> 
& 


| # This year. A ee ee 
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last. ear | 


| debes 
| Direct arrival, direct replacement, double arrival, double transfer, replacement transfer, double 
: paria, u mn | 


i + 
ji 
E 
H 
i 
H 
} 
| 
H 


| 
ES 
Haas 


ill 


| Mailing Address includi ing street number, city, province, | postal code, phone number and fax 


| number - 

| Business Address including street number, city, province, postal code, phone number and fax : 
number. | | 

E Main activity ‘of the business a NM: | 

Principal contact name — | B paw RR | 


job Title 


Tele hone Number 


| Fax Number 


E ES ress — 


| Business esie | 
E C CRA Business Ni umber 


Number of RAT | panic Eum Pe 
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eer to anne Have you com Dons a on Plan for "this occupation at this Work 
location before? If yes, did the number of TFWs decrease relative to the number of 
Canadians/permanent resident workers for this occupation at this location as a result of activities 
| conducted in the Transition Plan. 
| Descri ption of planned activities 
| Proposed dates for activities 


| Results of planned activities 
| Actual r esults of activities l 
| Milestones/benchmarks for activities, proposed and actual result 


| 
| ® Total number of applicants l 
| * Total number of applicant interviewed | 
| * Total number of positions offered | i 


| 9 Total number atapi vem tired | 


Employer Gane Review (ECR} Results: "Wages, Occupation and Workii ng Conditions (WOW) 
of the LMIA confirmation 

e employer name and contact information 

e jobtitle, occupation and NOC codes | 

e results of findings, including areas of non-compliance and associated corrective actions to be 

undertaken 

e findings of non-compliance 

æ ECRperiod | 

Inspection Results: Conditions of the LMIA confirmation 

e employer name and contact information 

e job title, occupation and NOC codes 

e results of findings, including areas of non-compliance and associated corrective actions to be 

undertaken 

e findings of non-compliance 
| inspection or review period _ 
Ministerial Instructions: - 
e empioyer name and contact information 
æ job title, occupation and NOC codes 
| e type of instruction ordered 
| date of decision 


ER TRI PP sn ns — — PNE UNE pix ARAS 
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ANNEX D 
Information to be provided by ESDC to the CBSA under section 35(1) of the 
DESDA: 


1.0 METHOD OF INFORMATION EXCHANGE 


1.1 The Data elements listed in Section 2 of Annex C and Section 2 of Annex D 
may be disclosed to the CBSA under section 35(1). 


1.2 Disclosures under Annex C may be made on ESDC's own initiative or by 
written request from the CBSA. 


1.2.1 Electronically, the CBSA has view only access in FOSS to the Fo reign 
Worker System (FWS) - Global Case Management System (GCMS) system-to- 
system interface. Via this interface, the CBSA have view only access to those 
data elements listed in Section 2 of Annex C. 


1.2.2 Ifnotavailable via the system-to-system interface, this information 
can be made available electronically 
|. A or paper copy of the origina: aocuments}. 


1.2.8 A written request from the CBSA will include, at a minimum, the 
following information: the requesting officer name, the requesting officer 
position, requesting officer contact information (telephone and/or email), 
description of personal information elements requested, legislative statute 
and associated section reference(s) and purpose (description of enforcement 
activity) for which the information will be used. 


1.2.4 Ifa paper copy of the information is requested, it will be provided as 
per Government Security Policy Guidelines. 


1.2.5 ESDCisresponsible for the administration and maintenance of the 
The CBSA will have access to this site in order to deposit and extract 
the agreed upon information. 


1.2.6 The 8 designed to meet all the security requirements for 
exchanging personal information. The exchange of information will be 
protected from unauthorized access since both parties will be using 
capability to access and use the 
Approved user(s] wil be given access codes to ESDC's to 
retrieve source files. 


1.2.7 ESDC will upload data elements to the as per Section 2 of 
Annex C on a case by case by case basis, as requested by the CBSA. 
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1.2.8 A notification email will be sent to the designated approved user, 
confirming data transfer success, 


2. ADDITIONAL DATA ELEMENTS TO BE DISCLOSED BY ESDC TO THE CBSA 


2.1 Personal Information, in addition to that collected on the LMIA Application 
form (listed in Annex C), related to the assessment of an LMIA may be made 
available to the CBSA upon request: 
e the third party representative authorization form and contract between third 
party and employer 
proof of advertising 
business license 
T2 Schedule 125 Income Statement 
T2 Schedule 100 Balance Sheet 
Workers Compensation Clearance Letter 
employer/employee contract | 
correspondence between ESDC/Service Canada and employer or authorized 
third party | 
+ labour market decision letter issued to the employer 
e guarantor attestation for Caregiver stream 
e Employer Compliance Review (ECR) Findings, including: 
o employer name and contact information 
job title, occupation and NOC codes 
results of findings, including areas of non-compliance and associated 
corrective actions to be undertaken 
© outcome of non-compliance 
o ECR period 
e Inspection Findings, including: 
o employer name and contact information 
job title, occupation and NOC codes 
results of findings, including areas of non-compliance and associated 
corrective actions to be undertaken 
© outcome of non-compliance 
© inspection period 
e Ministerial Instructions: 
o employer name and contact information 
c job title, occupation and NOC codes 
o type of instruction ordered 
o date of decision 
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2.2 Personal Information contained in the following documents related to the 
FSWP may be made available to the CBSA: 
e the application form 
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the third party representative authorization form and contract between third 
party and employer 

the offer of permanent employment to the foreign national 

copies of remittance forms issued by the Canada Revenue Agency (CRA) 
itemizing source deductions for the previous 12 months (form number 
PD7A) as well as CRA T4 "Summary of remuneration paid" for the previous 
tax year 

CRA Notice of Assessment 

Signed T2 (corporate Income Tax Return) and T212 

T2125 Statement of Business or Professional Activities 

business licenses spanning 12 months or a commercial lease agreement for 
the business location 

correspondence between ESDC/Service Canada and employer or authorized 
third party related to the application 


ESDC may, upon request or on its own initiative, and as appropriate, disclose 
information related to ESDC's responsibilities under the IRPA to the CBSA for the 
purpose of investigating any other alleged non-compliance with IRPA. 
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ANNEX E 
Information to be disclosed by the CBSA to ESDC: 


1.0 | METHOD OF INFORMATION EXCHANGE 


1.4 For Employer Compliance Activities 
The data elements listed in Section 2 of Annex E may be disclosed to ESDC for the 
assessment of employer compliance activities. | 


1.33.1 This information may be made available electronically 
n | or paper copy of the original 
aocument(s). 


1.1.2 ESDC is responsible for the administration and maintenance 
The CBSA will have access in order to deposit the agreed 
upon information. 


1.1.3 The is designed to meet all the security requirements for 
exchanging personal information. The exchange of information will be 
protected from unauthorized access since both parties will be using 

to access and use — 


interface will include, at a minimum, the following information: the 


reference(s) and purpose (description of enforcement activity) for which the 
information will be used. 

1.1.5 The information will be extracted from the FWS database and 
formatted for use: 

1.1.6 In order to match the (TFWP) employer information with information 


1.1.7 Ifa paper copy of the information is requested, it will be provided as 
per Government Security Policy Guidelines. 


2.0 DATA ELEMENTS TO BE DISCLOSED BY THE CBSA TO ESDC 
24.1 Upon request, or on its own initiative, as appropriate, the CBSA will disclose 


the following information to ESDC for the purposes of assessing requests for LMIAs, 
reviewing such opinions or carrying out an inspection under the IRPR: 
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e information related to anyone who has submitted an application under the 
TFWP/FSWP and for which charges have been laid as weil as when 
convictions are rendered 

e aggregate and non-case specific statistical information on TFWP-related 
criminal investigations 

e additional information as may be requested by ESDC and for which the CBSA 
has the authority to disclose under the Privacy Act, but excluding the 
disclosure of case-specific information pertaining to ongoing criminal 
investigations 

e convictions under IRPA of individuals or employers who requested or 
received an LMIA 

e information received by the CBSA, including tips from third parties, that may 
not warrant criminal investigation and would instead be more appropriately 
addressed through regulatory actions by ESDC 


2.2 The CBSA commits to informing ESDC prior to undertaking public 
communications activities related to a TFWP-related criminal investigation. 


2.3 The following information related to criminal charges/convictions will be 
shared with ESDC: 


| Sentent cefs) 


Other information that is collected under the authority of IRPA may also be shared 
(e.g. details of fraudulent information that was included in LMIA requests). Requests 
would be assessed on a case-by-case basis. 
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IT Security and IT Problem Management 


4. 


1.1 


1.2 


1.4 


INFORMATION MANAGEMENT 


The information received by each Party under the Agreement will be 
protected as provided for under the laws of Canada and in accordance with 
the Agreement, Section 7.0 and Annex F. Personal information is to be 
safeguarded by a high level of protection to ensure the quality, integrity, 
privacy and security of the disclosure process. 


On the request of the CBSA, ESDC will provide information describing its 
security measures. ESDC will take such reasonabie security measures to 
protect the confidentiality of the personal information exchanged under this 
Agreement, as may be required by the CBSA. 


On the request of ESDC, the CBSA will provide information describing its 
security measures. The CBSA will take such reasonable security measures to 
protect the confidentiality of the personal information exchanged under this 
Agreement, as may be required by ESDC. 


For ESDC: 


1.4.1 The methods of protection include physical measures, for example, 


1.5 


locked filing cabinets and restricted access to offices; Departmental 
measures such as appropriate employee security clearance levels and 
limiting access to a "need-to-know" basis; and technological measures 
such as the use of passwords and encryption. ESDC make their 
employees aware of the importance of maintaining the confidentiality of 
personal information. 


For the CBSA: 


Fendi 


1.5.1 The methods of protection include physical measures, for example, 


2.4 


locked filing cabinets and restricted access to offices; Departmental 
measures such as appropriate employee security clearance levels and 
limiting access to a "need-to-know" basis; and technological measures 
such as the use of passwords and encryption. Through awareness, the 
CBSA makes their employees aware of the importance of maintaining the 
confidentiality of personal information. 


ESDCIT SYSTEMS, SECURITY REQUIREMENTS AND ACCESS 


ESDCs systems, FWS are subject to the Treasury 
Board Secretariats Policy on Government Security, Departmental Security 
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Policy and Procedures Manual and Departmental information Technology 
Security Policy. 


All system access activities by ESDC personnel are logged for audit purposes 


with built-in verification procedures for detecting and controlling any 
improper or inappropriate use of shared or exchanged personal information. 


2.2.4 The FWS 


2.2.1.1 The PWS is a secure single, integrated system designed to meet 
all the security requirements for storing personal information. 


2.2.1.2 The specific hardware components of the FWS include a secure 
web portal and server. © 


This hardware is not specific to FWS System. 
2.2.1.3 To access FWS proposed users must undergo a security 
screening process. Only authorized users who require the 


personal information in the course of their employment and 
duties will have access to the FWS. 
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3 THE CBSA IT SYSTEMS, SECURITY REQUIREMENTS AND ACCESS 


3.4 It is the policy of the CBSA to safeguard CBSA program information and to 
share and use this information only within established guidelines that adhere 
to Canadian law, CBSA policy, Canada's international treaty obligations, and 
the Agency's Code of Conduct, and in support of the effective delivery of 

_CBSA programs. 
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3.2 It is the policy of the CBSA to adhere to relevant Treasury Board Policy, 
including the Policy on Government Security. 


3.3 Prior to accessing CBSA systems, all CBSA personnel are required to obtain 
the required security clearance. 


3.4 Access to CBSA systems, and the level of access to information stored in those 
systems, is based on an employee's duties and the requirements of the 
position. 


3,41 CUMS 

3.4.1.1 The source of all information entered into this database is 
clearly identified. 

34.1.2 The source identifier remains permanently attached to the 
relevant information and is included in all query results. 

34.1.3 ^ Access to CIIMS is controlled via profile levels, and is granted 
only to those profiles that require access for investigative 
purposes. 


3.4.2 FOSS 
3.4.2.1 Employee level of access to information in this system is based 
on the requirements of their position. 
3.4.2.2 Any record that is created in FOSS using ESDC information will 
clearly identify ESDC as the source of the information and will 
include applicable caveats and restrictions on use of the 
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3.4.3  GCMS 
3.4.3.1 Employee level of access to information in this system is based 
on the requirements of their position. 
3.4.8.2 Any record that is created in GCMS using ESDC information will 
clearly identify ESDC as the source of the information and will 
include applicable caveats and restrictions on use of the 
information. 


3.4.4 ICES 
3.44.1 ESDC information will be used to create a record in ICES in 
very limited circumstances. 
3.4.4.2 Any record that is created in ICES using ESDC information will 
clearly identify ESDC as the source of the information and will 


30 


SP LP LILLIA REDON LAMININ ANN AWWA re tare T en. 


3.4.5 


4.2 


3.4.7 


3.4.4.3 


IMS 
3.4.5.1 


3.4.5.2 


3.4.5.3 
3.4.5.4 


NCMS 
3.4.6.1 


3.4.6.2 


3.4.7.3 
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include applicable caveats and restrictions on use of the 
information. | 

The record will also refer the user back to the source of the 
information. 

Records in this database are purpose-specific, and user access 
to those records is restricted according to the requirements of 
the employee's position. 


Ány records created in IMS will be associated with caveats 
specifying restrictions on use and disclosure. 

iMS access is strictly limited to members of the CBSA 
Intelligence Portfolio only. 

Ali potential disclosures are reviewed at the Manager level. 


IMS includes a systemic audit function and capability. 


Employee level of access to information in this system is based 
on the requirements of their position. 

Any record that is created in NCMS using ESDC information 
will clearly identify ESDC as the source of the information and 
will include applicable caveats and restrictions on use of the 
information. 


The source and date of all information and documents stored 
in this system are clearly identified. 

Access to STS is limited and restricted to users with Secret 
clearance and those approved by CBSA Intelligence, and 
subject to audit. 

All proposed disclosures of information contained in this 
database are reviewed by CBSA Intelligence management. 


IT PROBLEM MANAGEMENT 


The Parties agree to resolve any IT problem management issues within their 
respective organizations where the problem arose. 


The Parties agree that any irregular and/or suspicious activity that is 
detected by either Information Technology or Business Line staff will be 
reported and acted upon in accordance with each Party's respective 
operational guidelines. 
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4.3 Where an IT problem is identified, each Party agrees to notify the other as 
soon as possible, 


i3 
RA 


